March  2013  www.csoon 


TECH:  Medical  Information  Hack 
Bodes  III  for  Privacy  6 


RISK:  Getting  a  Handle  on  Your 
Real  Risk  Appetite  14 

LEAD:  Hottest  Security  Skills  for  2013  22 


MIDSIZE  BUSINESSES  ARE  THE  ENGINES  OF  A  SMARTER  PLANET 


FROM  LIMITED  IT.  RESOURCES 
TO  UNLIMITED  POTENTIAL. 


FOR  MIDSIZE  BUSINESSES, 

A  REDEFINING  MOMENT. 

In  the  past,  midsize 
organizations  with  big  ideas 
were  constrained  by  limited 
IT  resources.  Not  anymore. 
With  the  arrival  of  scalable, 
affordable  cloud  computing, 
sophisticated  ideas  for  new 
products  no  longer  languish. 
Personalized  customer 
service  generates  incremental 
sales.  And  new,  revenue-rich 
markets  are  being  created 
every  day. 


It’s  shaking  up  industries  and 
providing  new  opportunities 
for  new  players,  with  many 
pioneering  midsize  businesses 
once  again  leading  the  way. 
Consider:  92%  of  midsize 
companies  say  they  will  pilot 
or  adopt  a  cloud  solution 
within  the  next  36  months. 

Progressive  companies  like 
LINK  Institute,  the  Swiss 
consumer  research  firm  with 
1 10  employees,  are  doing  it 
right  now. 


What  can  the  cloud  do 
for  your  midsize  business? 


“We  can  assess 
a  consumer’s 
emotive  response 
more  accurately.  ” 

—  Tim  Llewellynn, 
nViso  CEO 


Extend  Collaboration 


\  •  / 


REINVENT  WITHOUT 
REINVESTING  IN  I.T. 

LINK  wanted  a  faster,  more 
accurate  way  to  measure 
consumer  sentiment. 
Working  with  a  powerful 
facial  recognition  solution 
created  by  IBM  Business 
Partner  nViso  in  the  IBM 
SmartCloud™  LINK  is 
now  capturing  respondent 
reactions  to  marketing 
messages  in  real  time,  via 
home  webcams.  Scores  are 
generated  every  second  for 
7  emotions.  And  LINK  gets 
its  results  up  to  90%  faster. 


In  the  past,  a  data-rich 
solution  like  LINK’S  would 
have  been  impractical  for  a 
midsize  company.  But  in  the 
cloud,  traditional  research  is 
history.  And  a  new  service 
has  transformed  a  business. 

Get  started  by  learning  how 
IBM  and  its  Business  Partners 
are  helping  midsize  businesses 
reinvent  themselves  at 

ibm.com/engines/cloud 


LET’S  BUILD  A 
SMARTER  PLANET. 


‘2011  IBM  Institute  for  Business  Value/Economist  Intelligence  Unit  Cloud-Enabled  Business  Model  Survey.  IBM,  the  IBM  logo,  ibm.com,  IBM  SmartCloud,  Smarter  Planet  and  the  planet  icon  are  trademarks  of  International 
Business  Machines  Corp,  registered  in  many  jurisdictions  worldwide.  A  current  list  of  IBM  trademarks  is  available  on  the  Web  at  www.ibm.com/legal/copytradeshtml.  ©  International  Business  Machines  Corporation  2012 


Cover  photo  by  Stephen  Webster 


March  2013  Volume  12,  Number  2 


A  Winning 
Strategy 

30  HowoneCSO 
is  unifying  the 
security  programs 
in  a  bustling 
Midwestern  city 

BY  GEORGE  V.  HULME 


■  Also  Inside 

2  Editor’s  Letter 

4  Publisher’s  Letter 

36  Last:  Some  feedback 
on  your  training  session 


tech 

6  DNA  Hack  Could  Make  Medical 
Privacy  Impossible 

8  Threat  of  Pre-emptive  Cyberattack 
Isa  Warning  to  China 

9  Anonymous  Publishes  Personal 
Information  of  4,000  Bankers 

10  What  Happens  When  Security  Tools  Fail 

11  Protect  Against  a  Hack  Like  the 
One  That  Hit  the  New  York  Times 

12  Wisdom  Watch:  Broken  Tools  Edition 

12  Gozi  Takedown  Is  Big,  But  Not  Big  Enough 

risk 

14  What’s  Your  Appetite? 

18  Getting  the  Board  on  Board 

lead 

22  The  Hot  Security  Skills  of  2013 

24  Social  Security 

26  Are  You  Reactive  When 
You  Should  be  Proactive? 

28  5  Tough  interview  Questions  (and  Tips 
for  the  Best  Ways  to  Answer  Them) 


March  2013  www.csoonline.com  l 


Input/Output 


Garbage  m,  garbage  out.  That’s  a  by-now  ancient  saying 
in  the  computing  world.  It’s  the  digital  equivalent  of  “you  are  what 
you  eat.”  And  it’s  also  reminiscent  of  another  old  saw,  that  the  def¬ 


inition  of  insanity  is  doing  the 
same  thing  over  and  over  while 
expecting  a  different  result. 

Three  cliches  in  one  column!  Usually  I  try  to 
keep  it  to  just  one.  But  these  expressions  all  get 
at  a  worthwhile  concept:  If  you  want  optimal 
output,  you  have  to  keep  fine-tuning  the  inputs. 

So  ask  yourself:  What  new  inputs  have  you 
added  lately? 

As  a  magazine  and  website,  CSO  is  talking  to 
new  sources.  Not  only  new  security  leaders,  but 
also  people  from  a  broader  spectrum  of  risk- 
management  disciplines.  Take  a  look  at  the  two 
articles  in  our  Risk  section  this  month  (every 
month,  really).  You'll  see  folks  interviewed  who 
are  outside  of  what’s  sometimes  referred  as  the 
security  "echo  chamber.” 

The  point  is  to  bring  new  perspectives  to  bear 
on  the  challenges  of  protecting  your  organiza¬ 
tions.  If  you  can  translate  these  perspectives 
into  new  actions-a  new  process,  a  new  ap¬ 
proach  to  communication,  a  new  structure  or 
system  or  technology-you  stand  to  improve 
your  results. 

Make  some  Linkedln  connections  outside 
of  your  normal  circles.  Read  a  new  book. 


Follow  some  new  blogs.  Learn  statistics.  Join 
Toastmasters. 

Do  something  creative  just  for  the  neu¬ 
ral  value-take  a  course  in  painting  or  piano.  I 
once  spent  several  hours  learning  to  play  Guitar 
Hero  left-handed.  It’s  pretty  funny  to  watch 
your  brain  wrestle  to  do  something  it's  just  not 
wired  for. 

New  inputs,  better  outputs. 

-Derek  Slater,  Editor  in  Chief, 
dslater@cxo.com 


Editor  in  Chief 

Derek  Stater 
dslater@cxo.com 
508  935-4213 
Twitter:  @derekcslater 

Managing  Editor 

Bill  Brenner 
bbrenner@cxo.com 
508  988-7587 
Twitter:  @biUbrenner70 

Senior  Editor 

Joan  Goodchild 
jgoodchild@cxo.com 
508  988-7994 
Twitter:  @msjoanieg 

Senior  Editor,  Copy  and  Production 

Colleen  Barry 

Executive  Director,  Art  and  Design 

Mary  Lester 

Art  Director 

Steve  Traynor 

Editorial  Administrator 

Pat  Josefek 

Research  Manager 

Carolyn  Johnson 

Contributors 

Taylor  Armerding,  Mary  Brandel, 
John  E.  Dunn,  Elisabeth  Horwitt 
George  V.  Hulme,  Gregg  Keizer, 
Jeremy  Kirk,  Richard  Power, 
Jaikumar  Vijayan,  Bob  Violino 

Editorial/Advertising/ 
Business  Offices 

492  Old  Connecticut  Path, 

P.O.  Box  9208 

Framingham,  MA  01701-9208 
Main  phone  number:  508  872-0080 

Subscriber  Services 

Phone:  866  354-1125 
Fax:847  564-9453 
cso@omeda.com 


International  Data  Group 
Chairman  of  the  Board 

Patrick  J.  McGovern 


CSO  (ISSN  1540-904X)  is  published  monthly  except  for  a  combined  issue  in  July/August  and  December/January  by  CXO  Media  Inc..  492  Old  Connecticut  Path.  P.O.  Box 
9208.  Framingham,  MA  01701-9200.  Periodical  Postage  Rate  at  Framingham,  MA  01701,  and  at  additional  mailing  offices.  Canadian  Publications  Mail  agreement  number 
1902075.  Canadian  Postmaster:  Please  return  undeliverable  copy  to  P.O.  Box  1632.  Windsor,  ON  N9A  7C9.  Copyright  2011  by  CXO  Media  Inc.  All  rights  reserved.  Reproduction 
of  material  appearing  in  CSO  is  forbidden  without  written  permission.  Permission  to  photocopy  for  internal  or  personal  use  or  the  internal  or  personal  use  of  specific 
clients  is  granted  by  CSO  for  users  through  the  Copyright  Clearance  Center,  provided  that  a  fee  of  $3.50  per  copy  of  the  article  is  paid  directly  to  Copyright  Clearance 
Center,  222  Rosewood  Drive.  Danvers.  MA  01970.  www.copyright.com.  Please  specify:  ISSN  1540-904x.  Permission  to  photocopy  does  not  extend  to  contributed  articles— 
followed  by  this  symbol:  J  Address  inquiries  to  CSO,  P.0.  Box  3482.  Northbrook.  II  60065: 866  354-1125.  CSO  is  free  to  qualified  security  executives.  To  all  others  the 
one-year  basic  rate  is  $70  for  the  United  States  and  Canada.  $95  to  foreign  countries  (payable  in  U.S.  funds  only).  The  single  copy  price  is  $9  to  the  U.S.  and  Canada  and 
$15  international.  Please  allow  four  to  six  weeks  for  new  subscriptions  to  begin.  Change  of  Address:  Go  to  www.omeda.com/custsrv/cso  and  follow  the  online  instructions. 
Postmaster:  Send  change  of  address  to:  CSO.  P.O.  Box  3482,  Northbrook,  IL  60065.  Printed  in  the  USA. 


IDG  Communications,  Inc. 
CEO 

Bob  Carrigan 

Chief  Content  Officer 

John  Gallant 


#BPA 


WORLDWIDE- 


2  www.csoonline.com  MARCH  2013 


Tim  Llewellyn 


Avigilon  spotted  a  man  in  this 


who  was  caught 


and  identified  by  his 


Meanwhile,  analog  identified 


Only  our  high-definition  surveillance  solutions  give  you  the  full  story. 

Identify  incidents  quickly  and  enhance  response  times  with  the  superior 
image  detail  of  an  Avigilon  end-to-end  system.  See  how  Avigilon  can 
help  your  organization  at  avigilon.com/casestudies 


aviciLon 

THE  BEST  EVIDENCE' 


The  top  three  Images  were  shot  with  an  Avigilon  29  MP  HD  Pro  camera.  The  fourth  image  was  shot  with  an  analog  camera. 


Yet  Another  Voluntary  Framework 


In  President  Obama’s  much-anticipated  Executive  Order 
on  Improving  Critical  Infrastructure  Cybersecurity,  we  got  a  glimpse 
into  the  administration’s  efforts  to  address  an  issue  Congress  has 


failed  to  tackle:  cyber-risk  in  the 
critical  infrastructure.  I  spent 
an  hour  studying  the  order,  and 
I  was  hoping  to  see  some  steps 
toward  strengthening  critical 
infrastructure. 

The  cornerstone  of  the  order  is  the  Cyberse¬ 
curity  Framework  (CSF),  which  will  be  devel¬ 
oped  by  the  National  Institute  of  Standards  and 
Technology  and  will  incorporate  “voluntary  con¬ 
sensus  standards  and  industry  best  practices." 

Given  the  plethora  of  frameworks  that  al¬ 
ready  exist,  and  considering  the  failure  of  most 
frameworks  to  actually  improve  cybersecurity, 
the  administration  should  be  called  for  piling  on 
after  the  play  was  ruled  dead.  The  word  “vol¬ 
untary"  appears  six  times  in  the  order.  But  what 
can  be  accomplished  by  yet  another  framework 
that  offers  voluntary  standards  and  industry 
best  practices,  but  that  carries  no  adequate 
incentives?  When  there’s  no  stick  and  no  carrot, 
the  mule  will  just  stand  there. 

Businesses  already  use  standards  and  best 
practices  to  manage  risks.  Where  this  model 
breaks  down  is  when  the  business’  idea  of  ac¬ 
ceptable  risk  runs  contrary  to  the  nation’s  idea 
of  acceptable  risk.  It  is  in  this  chasm  that  gov¬ 
ernment  should  step  in  and  help,  or  coerce,  a 
business  into  adjusting  its  risk  models  for  the 
greater  good.  As  loyal  readers  of  my  musings, 
you  know  that  I  abhor  regulation,  but  in  this 
situation  I  believe  that  the  greater  good  may 


outweigh  free-market  dynamics.  We  must  pro¬ 
tect  our  critical  infrastructure  or  we  will  surely, 
someday  soon,  regret  that  we  did  not. 

I  will  give  credit  where  credit  is  due.  The  order 
does  require  that  by  mid-June  the  secretaries  of 
Flomeland  Security,  Treasury  and  Commerce  es¬ 
tablish  a  set  of  incentives  designed  to  promote 
adoption  of  the  CSF.  I  will  reserve  judgment  until 
we  see  what  those  incentives  are,  but  they  do 
need  to  provide  liability  and  public  disclosure  ex¬ 
emptions  if  the  CSF  has  any  hope  of  working. 

Forcing  businesses  to  do  something  for  the 
greater  good  sounds  simple  in  theory,  but  rarely 
turns  out  to  be  in  practice.  The  order  is  full  of 
deadlines  stretching  into  next  year,  and  I  will 
follow  its  progress  closely. 

-Bob  Bragdon,  publisher 
bbragdon@cxo.com 


Advertiser  Index 

Avigilon . 3 

Cisco  Systems,  Inc . C4 

CSO . 21,23,25.27 

GuruCul . C3 


IBM  Corp . C2.15 

LogRhythm  . 9.11,13 

Milestone  Systems  Inc . 17 

Pretek  Corp . 27 


Quantum  Secure  Inc . 7 

RSA,  the  Security  Division 

of  EMC . 19 

Tyco  Integrated  Securities . 5 


Executive  Committee 
President  &  CEO  Michael  Friedenberg 
Executive  Assistant  to  the 
President  &  CEO  Pamela  Carlson 
SVP  of  Human  Resources  Patricia 
Chisholm 

SVP  of  Events  Ellen  Daly 
SVP  &  Chief  Content 
Officer  John  Gallant 
SVP  of  Digital  Brian  Glynn 
SVP  of  Strategic  Programs  &  Custom 
Solutions  Group  Charles  Lee 
SVP,  Group  Publisher  &  CMO  Bob  Melk 
SVP  &General  Manager,  Online 
Operations  Gregg  Pinsky 
SVP  of  DEMO  Neil  Silverman 
SVP  &  COO  Matthew  Smith 
SVP  &  General  Manager,  CIO 
Executive  Council  Pam  Stenson 
SVP  of  Digital,  & 

Publisher  Sean  Wegiage 

Sales 

Publisher  Bob  Bragdon 
Senior  National  Sales 
Manager  PerMelker 
East  Coast  Regional  Director, 
Integrated  Sales  Roz  Burke 
Account  Director,  Integrated 
Sales  West  MaryHazelton 
Sales  Associate  Sarah  Nadeau 

Integrated  Media  and  Online  Sales 
East  Coast  Online  Regional  Sales 
Manager  Richard  Hartman 
West  Coast  Online  Regional 
Sales  Manager  Erika  Karr 
Central  Online  Regional  Sales 
Manager  Stacy  Bryne 
Director  of  Ad  Operations  & 
Project  Management  Bill  Rigby 
Director,  Online  Account 
Services  Danielle  Tetreault 

Production 

VP  Production  Services  Chris  Cuoco 
Production  Manager  Heidi  Broadley 

Marketing 

Vice  President,  Marketing  Sue  Yanovitch 
Marketing  &  PR  Manager  Lynn  Holmlund 

List  Services 

Contact  Steve  Tozeski  of  IDG  List  Services 
at  508  820-8106  or  stozeskH3iidglist.com 

Reprints  &  Permisions 

For  information  about  reprints  and 
copyright  permissions,  please  contact 
The  YGS  Group,  800-290-5460,  ext.  100, 
cso@theygsgroup.com 


4  www.csoonline.com  MARCH  2013 


Webb  Chappell 


www.TycolS.com  /  1.800. 2. TYCO. IS 


ntegrated  Security.  All  Rights  Reserved.  Tyco  and  Tyco  Integrated  Security  are  marks  and/or  registered  marks 
Jnauthorized  use  is  strictly  prohibited.  All  other  marks  are  the  property  of  their  respective  owners! 


' 


We  are 


uca 

m  Integrated  Security 


Well  help  your  business  security 
run  safer,  smarter  and 


It's  time  to  turn  to  the  Number  1  team  in 
business  security:  Tyco  Integrated  Security. 

We've  got  world-class  monitoring  centers. 
Thousands  of  qualified  technicians.  And  a 
personal  passion  for  helping  you  protect  your 
business.  We'll  help  you  create  powerful 
security  solutions  that  are  customized  just 
for  you.  And  with  our  team  helping  you  run 
safer,  you  can  confidently  focus  on  the 
future  of  your  business. 

That's  sharper  thinking. 


Steve  Young 


Football  Legend 


DNA  Hack  Could  Make  Medical  Privacy  Impossible 

Researchers  could  find  your  name  by  taking  samples  from  a  distant  cousin  by  kevin  fogarty 


IT  MAY  NOW  BE  POSSIBLE  FOR  ANY- 
one,  even  if  they  follow  rigorous  privacy  and 
anonymity  practices,  to  be  identified  by  DNA 
data  from  people  they  do  not  even  know. 

A  paper  published  in  January  in  the  journal 
Science  describes  a  process  by  which  it’s  pos¬ 
sible  to  identify  by  name  the  donors  of  DNA 
samples,  even  without  any  demographic  or 
personal  information.  The  technique  was 
developed  by  a  team  of  geneticists  at  MIT's 
Whitehead  Institute  for  Biomedical  Research 
and  is  intended  to  demonstrate  that  sci¬ 


ence  and  technology  have  surpassed  the 
techniques  and  laws  currently  in  place  for 
safeguarding  private  medical  data,  accord¬ 
ing  to  Yaniv  Erlich,  a  fellow  at  Whitehead  and 
member  of  the  research  team. 

The  point  was  not  to  reveal  private  infor¬ 
mation,  but  to  demonstrate  a  systemic  weak¬ 
ness  that  will  require  research,  debate  and 
new  laws  and  technology  to  overcome,  Erlich 
says.  The  technique  relies  on  the  custom 
of  passing  family  names  down  through  the 
father's  family.  By  statistically  modeling  the 


distribution  of  family  names,  the  researchers 
were  able  to  narrow  the  list  of  possible  con¬ 
tributors  of  DNA  samples.  They  then  pinpoint¬ 
ed  individuals  using  a  range  of  other  publicly 
available  sources,  none  of  which  were  directly 
connected  to  the  original  donors  and  none  of 
which  included  protected  personal  data. 

This  isn't  a  specific  exploit  against  an  ef¬ 
fective  wall  of  security,  Erlich  says.  Instead, 
it  demonstrates  that  genomic  research  may 
have  grown  beyond  our  ability  to  conceal  the 
identities  of  the  sources  of  DNA  samples. 


6  ivivw.csoonHne.com  MARCH  2013 


Do  you  know  your  physical  security 

access  infrastructure  may  be  open 
to  insider  and  outsider  threats? 


Take  Control  of  your  Physical  Security 
Infrastructure  with  SAFE  Solutions 

Our  SAFE  Software  Suite  is  a  Physical  Identity  and  Access 
Management  System  that  enables  a  global  approach  to  automate 
and  streamline  your  Physical  Security  Infrastructure.  With  SAFE 
Solutions  from  Quantum  Secure,  automate  and  streamline 
physical  access  management,  gain  visibility  and  take  control  of 
on/off  boarding  processes  across  global  facilities,  and  closely 
,  manage  restricted  areas  to  ensure  compliance  and  reduce 
corporate  risks. 

SAFE  delivers  attestation  reports  for  compliance  to  regulations 
such  as  SOX,  NERC,  PCI,  HIPAA  and  more.  SAFE  also  performs 
insider  risk  assessment  with  facility  access  analytics,  and  will 
operate  with  disparate  physical  access  (PACS)  and  HR  systems. 
The  SAFE  Software  Suite  is  designed  to  create  unprecedented 
efficiencies  and  lower  all  physical  access  related  risks. 

©  2012  Quantum  Secure,  Incorporated.  All  rights  reserved. 

V 


SAFE  Is  ideal  for: 

>  Government 

>  Airports  and  Ports 

>  Telecom 

>  Energy  and  Utilities 

>  Healthcare,  Pharmaceuticals 

>  High  Technology 

>  Financial 

>  Higher  Education 

>  Transportation 


QUANTUM  SECURE 

>  quantumsecure.com 


Tech 


The  team  started  with  a  list  of  genomes 
that  had  already  been  sequenced,  mapped 
and  published  for  the  use  of  genetic  research¬ 
ers.  They  analyzed  the  material  to  find  iden¬ 
tifying  markers  on  the  Y  chromosome-which 
is  present  only  in  men-because  surnames  are 
generally  passed  down  through  fathers.  They 
compared  those  Y  markers  to  databases  that 
list  such  markers  along  with  the  surnames  of 
those  from  whom  the  samples  were  taken, 
but  were  not  able  to  match  all  the  samples 
with  surnames  using  confirmed  data.  They 
determined  which  surnames  were  most  likely 
to  belong  to  which  samples  using  scientifi¬ 
cally  accepted  statistical  models  that  were 
designed,  among  other  things,  to  track  the 
movement  of  regional  populations  by  follow¬ 
ing  the  spread  of  family  names. 

The  next  step  was  more  hack  than  science: 
The  team  used  record-search  engines  on  the 
Internet,  obituaries,  genealogical  websites 


and  demographic  data  from  the  National 
Institutes  of  Health’s  Human  Genetic  Cell 
Repository.  Researchers  then  linked  50  of  the 
samples  to  the  names  with  those  who  con¬ 
tributed  them. 

Until  now,  the  risk  that  private  genetic 
data  could  be  made  public  was  considered 
fairly  limited.  Data  about  samples  was  kept 
separate  from  data  about  donors,  and  demo¬ 
graphic  data  about  the  donors  could  only  be 
supplied  after  identifiers  were  removed. 

There  is  a  risk  to  more  than  just  donors, 
however.  Even  people  who  have  never  con¬ 
tributed  a  DNA  sample  could  be  identified 
and  genetically  typed  if  a  relative  has  ever 
donated  DNA.  That  scenario  is  becoming  more 
likely  as  recreational  genetic  genealogy  sites 
gain  popularity.  These  sites  trace  family  trees 
in  part  through  a  genetic  component-and 
they  make  contributed  genetic  information 
available  to  members  of  the  public,  often 


without  the  same  level  of  controls  used  by  re¬ 
search  or  medical  institutions.  Until  now,  the 
identity  of  donors  was  considered  protected 
if  demographic  and  genetic  data  were  kept  in 
different  databases  and  certain  information 
was  masked  in  the  demographic  record. 

Legislation  to  keep  research  institutes  . 
from  releasing  any  demographic  information 
about  donors  would  protect  patient  privacy, 
but  would  eliminate  the  ability  of  researchers 
who  have  identified  markers  for  a  particular 
disease  to  also  identify  the  ethnic  or  cultural 
background  of  those  who  might  have  it,  Erlich 
says.  The  whole  point  of  scientific  research  is 
to  publish  the  results  so  other  researchers  can 
build  on  it  and  develop  more  effective  treat¬ 
ments.  On  the  other  hand,  genetic  informa¬ 
tion  can  be  misused  to  identify  members  of 
ethnic  or  racial  groups  targeted  for  discrimi¬ 
nation  or  other  repressive  or  exploitative  pur¬ 
poses,  Erlich  says. 


Threat  of  Pre-emptive  Cyberattack  Is  a  Warning  to  China 


/ 


THE  OBAMA  ADMINISTRATION’S  STATEMENT  THAT 
the  president  has  the  power  to  order  a  pre-emptive  cyberstrike 
stands  as  a  warning  to  China,  which  remains  unresponsive  to 
U.S.  efforts  to  curtail  digital  attacks,  cybersecurity  experts  say. 

The  New  York  Times  reported  last  month  that  officials  in¬ 
volved  in  the  administration’s  decision  told  the  newspaper 
that  the  president  could  order  a  strike  if  the  United  States 
determined  that  a  cyberattack  capable  of  >  ^ 

destroying  critical  inf  rastructure  was  im-  ^ 

minent.  The  risk  would  have  to  threaten  -  *  s  ^  yJgr 

national  security;  threats  to  corporations  4-  ^  v 

or  other  private  entities  would  be  handled  ^  ^ 

by  law  enforcement.  A.  \ 

The  disclosure  came  less  than  a  week 
after  the  Times,  the  Wall  Street  Journal 
and  the  Washington  Post  revealed  that 
hackers  believed  to  be  based  in  China  had  breached  their  com¬ 
puter  systems. 

While  China  is  not  the  only  country  believed  to  be  targeting 
the  United  States,  its  hackers  are  the  most  active  in  cyberes¬ 
pionage  against  U.S.  companies,  think  tanks  and  government 
agencies.  Experts  believe  that  a  significant  number  of  attacks 
are  state-sponsored. 


So  far,  diplomatic  efforts  have  failed  to  convince  China  to  cur¬ 
tail  attacks  before  they  escalate  into  a  cyberwar.  Adam  Segal,  a 
senior  fellow  at  the  Council  on  Foreign  Relations,  wrote  in  a  blog 
post  that  China  responded  to  the  announcement  through  state- 
controlled  newspapers,  including  the  PLA  Daily,  which  said  the 
U.S.  position  could  trigger  a  worldwide  arms  race.  “Unless  we 
find  a  better  medium  than  the  major  papers  to  signal  our  disap¬ 
proval,  the  PLA  Daily  may  be  right.” 

c  It’s  unclear  whether  the  U.S.  threat  of  a 

-+c  V 

*  £  pre-emptive  strike  will  stave  off  cyberwar, 

f  *  ^  x  says  Murray  Jennex,  a  cybersecurity  expert 
|  L  ^  x  and  associate  professor  at  San  Diego  State 
^  University.  “It  will  reduce  the  risk  of  na- 
tions  like  Iran  and  China  doing  activities 
^  that  look  like  hacking,  but  I  think  it  increas¬ 

es  risk  overall,  as  there  may  be  others  who 
attempt  to  make  it  look  like  China  or  Iran  are  attacking,  and  we 
preemptively  attack  the  wrong  target,”  he  says. 

“I  think  there’s  a  cyberwar  going  on  now,”  says  Andrew  Ser- 
win,  head  of  the  privacy,  security  and  information-management 
practice  at  the  law  firm  Foley  and  Lardner.  “And  I  think  it’s  a 
matter  of  how  public  we  may  be  about  what  we’re  willing  to  do.” 

—Antone  Gonsalves 


\ 


8  www.csoonline.com  March  2013 


Reuters/Kevin  Lamarque 


Anonymous  Publishes  Personal 
Information  of  4.000  Bankers 


THE  PERSONAL  INFORMATION  OF 
some  4,000  people  in  the  banking  indus¬ 
try,  including  bank  officers,  was  posted 
online  last  month  by  the  hacker  collective 
Anonymous. 

The  list  was  initially  posted  to  the  web¬ 
site  for  the  Alabama  Criminal  Justice  In¬ 
formation  Center  (ACJIC),  then  apparently 
taken  down  by  that  site’s  operators.  The 
ACJIC  did  not  respond  to  a  request  for  com¬ 
ment  about  the  incident. 

However,  the  list  was  also  posted  else¬ 
where  online,  and  it  remains  available 
through  Google’s  web  cache.  It  contains 
contact  information  for  people  with  a  range 
of  job  titles,  from  cashiers  to  bank  presi¬ 
dents.  Phone  calls  placed  to  several  of  the 
people  on  the  list  indicates  that  the  tally  is 
current  and  accurate.  The  list  also  contains 
logins,  hashed  passwords  and  the  security 
programs’  “salts”-random  characters 
added  to  a  hashed  password  to  make  it 
more  difficult  to  crack. 

“That  means  they  had  to  have  very 
deep  access  to  get  those  combinations,” 
says  Cameron  Camp,  a  senior  researcher 
with  Eset. 

What’s  concerning  is  that  the  list  in¬ 
volves  people  at  many  types  of  financial 
institutions,  Camp  says.  “How  were  they 
able  to  get  logins  and  passwords  and  salts 


for  that  many  bankers?  That’s  kind  of 
scary.”  Anonymous  claims  it  filched  the  list 
from  computers  belonging  to  the  Federal 
Reserve.  Just  as  the  Super  Bowl  was  ending, 
Anonymous  declared  on  Twitter,  “Now 
we  have  your  attention  America:  Anony¬ 
mous’s  Superbowl  Commercial  4k  banker 
doxviathe  FED.” 

“Breaking  into  the  Federal  Reserve  just 
sounds  like  it  would  be  above  and  beyond 
[Anoymous’s]  skill  set,”  says  Jeffrey  Carr, 
CEO  of  Taia  Global  and  author  of  Inside 
Cyber  Warfare:  Mapping  the  Cyber  Un¬ 
derworld.  If  the  list  didn’t  come  from  the 
Federal  Reserve,  where  could  it  have  come 
from?  A  common  field  in  the  data,  labeled 
“CONTACTID,”  may  offer  a  clue,  Camp  says. 

“It’s  easy  to  imagine  the  source  as  a 
banker  industry  group,  government  clear¬ 
inghouse  or  similar  repository  where  [the 
victims]  were  members,”  he  says. 

This  move  has  been  linked  to  Anony¬ 
mous’s  OpLastResort  campaign,  which  was 
apparently  launched  in  retaliation  for  the 
suicide  of  Aaron  Swartz,  an  Internet  pioneer 
and  free-information  advocate. 

Anonymous,  and  some  criminal  justice 
and  computer  experts,  believe  Swartz  was 
driven  to  take  his  own  life  by  an  overzeal- 
ous  federal  prosecutor. 

-John  P.  Mello  Jr. 


:::  Log  Rhythm 

The  Platform  for  Big  Data 
Security  Analytics. 


March  2013  www.csoonline.com  9 


www.LogRhythm.com 


SYSTEMS  HACKED 


io  www.csoonline.com  March  2013 


Web  antivirus." 

This  isn’t  the  first  time  Kaspersky  users 
have  suffered.  There  was  the  time  in  2009 
when  a  hacker  breached  part  of  Kaspersky 
Lab’s  U.S.  support  site  by  exploiting  a  flaw 
in  the  site’s  programming.  And  unrelated  to 
that  hack,  the  company  has  issued  several 
botched  updates  since  then. 

Other  vendors  have  had  bad  updates,  in¬ 
cluding  Sophos,  F-Secure  and  Panda,  all  of 
whom  have  been  honest  and  apologetic  when 
facing  this  type  of  problem. 

But  I’ve  also  done  hundreds  of  briefings 
with  vendors  over  the  years,  and  very  few 
have  acknowledged  that  they  are  far  from 
perfect.  These  guys  want  their  products  to  be 
seen  as  bulletproof  defenders.  The  reality  is 
that  bulletproof  security  tools  are  as  mythical 
as  silver-bullet  security  solutions.  Just  as  no 
one  tool  protects  against  all  the  threats  and 
vulnerabilities  out  there,  so  too  is  no  one  se¬ 
curity  tool  impervious  to  failure. 

I  believe  that  when  the  right  variety  of 
tools  are  used  under  the  right  circumstances, 
you  get  a  defense  that  is  reasonably  effec- 


I’ve  done  hundreds 
of  briefings  with 
vendors  over  the 
years,  and  very  few 
have  acknowledged 
that  they  are  far 
from  perfect. 


tive.  Not  perfect,  but  better  than  having  no 
protection  at  all.  When  you  have  true  defense 
in  depth,  these  occasional  botched  updates 
don’t  deal  a  crushing  blow  to  an  organiza¬ 
tion’s  full  set  of  defenses. 

But  they  still  cause  disruption.  Given  all  the 
threats  IT  security  shops  have  to  stay  on  top 
of,  disruption  from  their  security  vendors  is 
the  last  thing  they  need.  And  so  my  friends  in 
the  vendor  community  need  to  keep  working 
to  do  better. 

It  may  be  easier  said  than  done.  But  if  it’s 
not  said,  it'll  never  get  done. 


BEATING  KASPERSKY  OVER 
the  head  with  my  keyboard  for 
making  its  customers’  lives  difficult 
with  a  bad  update  would  probably 
get  this  column  a  lot  of  attention. 

But  then  I’d  be  overlooking  an  im¬ 
portant  fact:  Botched  software  up¬ 
dates  are  common  in  the  IT  vendor 
world,  and  security  companies  are 
just  as  vulnerable  as  everyone  else. 

That  doesn’t  mean  we  should 
throw  up  our  hands  and  accept  it. 

As  for  Kaspersky’s  latest  glitch, 
here's  what  we  wrote  in  early 
February: 

“A  faulty  antivirus  update  issued 
by  Kaspersky  Lab  left  many  of  its 
home  and  business  customers 
unable  to  access  any  websites  on 
their  computers. 

“Systems  administrators  using  Kaspersky 
Endpoint  Security  (KES)  on  their  corporate 
networks  started  reporting  the  problem  on 
Kaspersky’s  support  forum  on  the  afternoon 
of  Monday,  Feb.  4.  The  reports  kept  piling  up 
until  late  that  evening. 

“‘I  have  [about]  12,000  machines  running 
KES8  and  my  help  desk  started  getting  calls 
about  an  hour  ago  saying  users  were  having 
problems  accessing  various  websites,'  one 
user  named  bradb21  reported. 

“Other  users  confirmed  the  problem  and 
attempted  to  troubleshoot  it  themselves. 
Some  reported  success  after  disabling  the 
Web  protection  component  or  turning  off 
the  product’s  monitoring  for  port  80, 443 
and  other  Web  proxy  ports. 

“Users  later  posted  responses  they  had  re¬ 
ceived  from  the  company’s  technical  support 
representatives.  This  included  a  recommenda¬ 
tion  to  temporarily  disable  the  Web  antivirus 
component  on  the  affected  computers  via  the 
management  console,  force  them  to  perform 
a  new  definition  update  and  re-enable  the 


Tech 


Bill  Brenner,  managing  editor. 
CSOonline's  Salted  Hash  blog  and  newsletter  covers 
the  news  as  it  happens:  blogs.csoonline.com/blog/cso 


What  Happens  When  Security  Tools  Fail 


iStockphoto 


Reuters/Lucas  Jackson 


Protect  Against  a  Hack  Like  the 
One  That  Hit  the  New  York  Times 


THE  CYBERESPIONAGE  CAMPAIGN 
waged  against  the  New  York  Times  by  Chinese 
hackers  makes  it  clear  how  important  it  is  to 
assume  criminals  will  eventually  break  into  a 
system,  which  means  the  best  defense  is  to 
detect  intruders  as  soon  as  possible. 

In  January,  the  Times  disclosed  that  hack¬ 
ers  had  persistently  attacked  its  computer 
systems  for  four  months,  and  had  stolen  pass¬ 
words  from  reporters  and  employees.  Rather 
than  boot  the  hackers  immediately,  the  Times 
studied  their  movements  to  build  better  de¬ 
fenses  against  them.  The  attacks  coincided 
with  an  investigative  piece  the  newspaper 
published  Oct.  25,  exposing  business  deals 
that  reaped  several  billion  dollars  for  relatives 
of  Wen  Jiabao,  China's  prime  minister. 

The  lessons  learned  from  the  attack  apply 
to  any  organization  targeted  by  hackers  with 
the  kind  of  sophistication  that  is  often  fi¬ 
nanced  by  a  nation  state.  Potential  victims 
typically  include  defense  contractors,  multi¬ 
national  corporations,  the  military,  think  tanks 
and  government  agencies. 

Over  the  course  of  the  attacks  on  the 
Times,  the  intruders  installed  45  pieces  of  cus¬ 
tom  malware.  The  Symantec  antivrius  soft¬ 
ware  the  paper  was  using  only  detected  one. 

One  important  step  the  company  took  in 
September,  when  it  learned  it  might  be  tar¬ 
geted  by  hackers  in  China,  was  to  notify  its 
ISP  to  watch  for  unusual  activity  in  outbound 


traffic  from  the  network.  AT&T  eventually  did 
report  anomalies,  which  prompted  the  Times' 
to  investigate  and  to  hire  security  firm  Mandi- 
ant  to  monitor  and  remove  the  hackers. 

Investigators  suspect  the  attack  relied  on 
spear  phishing  to  get  access,  meaning  work¬ 
ers  unwittingly  installed  malware.  Once  the 
computers  were  compromised,  the  hackers 
installed  remote  access  tools  to  steal  data. 

To  prevent  a  breach  like  this,  organizations 
can  either  stop  malware  from  making  it  onto 
their  computers  in  the  first  place,  or  detect 
and  eliminate  it  quickly  if  it  gets  through. 

The  first  step  toward  keeping  malware  off 
computers  is  always  educating  employees 
about  security.  Organizations  might  also  con¬ 
sider  whitelisting-using  software  that  allows 
only  pre-approved  applications  to  run-but 
this  technology  is  difficult  to  manage  because 
employees  always  want  to  run  other  software. 
Sandboxing,  on  the  other  hand,  allows  unau¬ 
thorized  applications  to  run  but  strictly  limits 
what  network  resources  they  can  access. 
Similarly,  micro-virtualization  protects  data  by 
running  risky  tasks  in  a  micro  virtual  machine. 
Another  option  is  exploit-detection  technolo¬ 
gy,  which  makes  it  difficult  for  hackers  to  take 
advantage  of  vulnerabilities  in  software. 

Once  malware  gets  in,  one  of  the  best  ways 
to  catch  it  is  through  appliances  that  moni¬ 
tor  application  behavior  and  network  traffic. 
Security  information  and  event  management 
systems,  which  flag  abnormali¬ 
ties  in  network  hardware  and 
software  logs,  are  popular. 

There  is  no  one  technology 
that  can  combat  a  sophisticated 
attack  like  the  one  against  the 
Times.  Organizations  that  could 
be  targets  must  build  layers  of 
security  that  start  with  employ¬ 
ees'  laptops  and  build  inward  to 
the  network  behind  the  firewall. 

-Antone  Gonsalves 


March  2013  www.csoonline.com  11 


O 

< 


GO 

< 


:::  Log  Rhythm 

The  Platform  for  Big  Data 
Security  Analytics. 

www. LogRhythm.com 


Tech 


WISDOM  WATCH 


Broken  Tools 
Edition 

Symantec.  The  New  York 
Times  is  not  blameless  in 
missing  security  vulnerabilities  that 
allowed  Chinese  hackers  to  bur¬ 
row  deep  into  its  systems.  But  its 
Symantec  security  tools  failed  to 
catch  the  malicious  activity  as  well. 
Then  Symantec  did  something  com¬ 
panies  should  never  do:  Blame  the 
customer. 

Kaspersky.  The  Rus¬ 
sian  security  giant  has 
had  several  well-publicized  security 
failures  in  recent  years,  including 
a  significant  hack  of  its  systems 
in  2009  and  yet  another  botched 
update  last  month  that  caused 
headaches  for  its  customers.  But  the 
company  deserves  credit  for  taking 
full  responsibility  each  time. 

F-Secure.  The  Helsinki- 
based  vendor  also  knows  the 
embarrassment  of  being  attacked. 
Around  the  same  time  as  the  2009 
Kaspersky  breach,  F-Secure  was 
forced  to  acknowledge  that  its  site 
had  been  the  victim  of  an  SQL  injec¬ 
tion  attack.  The  company  was  hon¬ 
est  and  apologetic  after  that,  and 
has  been  during  subsequent  failures. 


*  AT 
f/r  *4  w 

Gozi  Takedown  Is  Big, 
But  Not  Big  Enough 


Sophos.  Back  in  September, 
Sophos  customers  reported 
that  the  software  detected  the  Shh/ 
Updater-B  malware,  indicating  an 
attack  was  under  way.  It  turned  out 
to  be  a  false  positive.  Sophos  issued 
a  fix,  then  did  something  more:  Ad¬ 
mitted  the  problem  in  a  headline  in 
its  Naked  Security  blog.  That’s  good 
customer  service.  -B.B. 


THE  JANUARY  INDICTMENT  OF  THE 
alleged  masterminds  behind  the  Gozi  Trojan 
was  significant  for  several  reasons,  security 
experts  say.  But  it  is  not  expected  to  change 
the  malware  threat  landscape  significantly. 

As  is  the  case  in  the  drug  trade,  if  one  major 
cartel  falls,  there  are  plenty  of  others  waiting 
to  take  its  place. 

The  first  measure  of  the  importance  of  the 
bust  was  Gozi’s  success.  The  U.S.  Attorney’s 
Office  of  the  Southern  District  of  New  York, 
in  announcing  the  indictments  against  three 


of  the  Trojan’s  creators,  called  it  “one  of  the 
most  financially  destructive  computer  viruses 
in  history,  [which]  infected  over  1  million  com¬ 
puters  globally  and  caused  tens  of  millions  of 
dollars  in  losses." 

Dell  SecureWorks,  which  discovered  the 
Gozi  Trojan  in  2007,  believes  the  elimination 
of  its  creators  means  it  will  likely  fade  away. 
The  three  at  the  top  of  the  Gozi  Trojan  opera¬ 
tion  were  arrested  months  or  years  ago.  They 
all  now  face  multiple  charges,  including  bank, 
computer  and  wire  fraud. 


12  www.csoonline.com  MARCH  2013 


Reuters/Carlo  Allegri 


Don  Jackson  wrote  at  the  Dell  Secure- 
Works  blog:  “Without  active  development 
and  support  from  the  Gozi  godfather  and  his 
indispensable  inner  circle  of  co-conspirators, 

I  believe  the  Gozi  threat  will  cease  to  evolve 
and  will  eventually  die  through  attrition." 

The  U.S.  Attorney’s  office  says  Nikita  Kuz¬ 
min,  a  Russian  national  who  created  Gozi,  was 
arrested  in  the  United  States  in  November 
2010  and  pled  guilty  before  U.S.  District  Judge 
Leonard  B.  Sand  to  various  computer  intrusion 
and  fraud  charges  in  May  2011. 

Deniss  Calovskis,  a  Latvian  national  also 
known  as  “Miami,”  who  allegedly  wrote  some 
of  the  computer  code  that  made  the  Gozi 
virus  so  effective,  was  arrested  in  Latvia  last 
November. 

Mihai  lonut  Paunescu,  a  Romanian  national 
known  as  “Virus,"  allegedly  ran  a  “bulletproof 


Preet  Bharara,  U.S.  attorney  for  the  Southern 
District  of  New  York,  holds  a  news  conference 
in  January.  Federal  prosecutors  charged  three 
people  with  creating  and  distributing  the 
computer  virus  known  as  the  Gozi  Trojan. 


hosting"  service  that  enabled  cybercriminals 
to  distribute  the  Gozi  virus,  the  Zeus  Trojan, 
and  other  malware,  along  with  committing 
other  cybercrimes.  He  was  arrested  in  Roma¬ 
nia  last  December. 

Paul  Ducklin,  writing  on  Sophos’  Naked 
Security  blog,  labeled  Kuzmin  the  COO,  Pau¬ 
nescu  the  CIO  and  Calovskis  the  senior  Web 
consultant  of  the  operation. 

Jackson  wrote  that  Gozi  was  success¬ 
ful  largely  because  it  had  been  “developed 
clandestinely  and  operated  by  a  very  small 
group  of  highly  capable  and  experienced 
cybercriminals.” 

But  that  was  also  Gozi’s  Achilles  heel,  he 
wrote.  “This  structure  limited  the  amount  of 
intelligence  that  could  be  gathered,  but  it  also 
concentrated  the  technical  know-how  and 
capabilities  required  to  run  a  profitable  Gozi 
operation  into  a  few  key  individuals.” 

Security  blogger  Brian  Krebs  says 
Calovskis’s  arrest  could  be  significant.  Krebs, 
who  has  covered  several  phases  of  the  Gozi 
Trojan  operation,  told  CSO  Online  that  the 
arrest  of  Miami-if  that  really  is  who  Calovskis 
is-is  a  “bigger  deal"  than  this  version  of  Gozi 
dying  out. 

“I  cannot  verify  whether  American  prosecu¬ 
tors  got  the  right  guy  in  arresting  Calovskis— 
and  of  course,  all  are  innocent  until  proven 
guilty,”  he  says. 

"But  if  prosecutors  have  in  fact  arrested 
Miami,  then  that  is  probably  the  most  signifi¬ 
cant  aspect  of  this  case,  because  his  specialty 
was  devising  custom  injects-plug-ins  for 
different  malware  families  that  help  users  of 
these  bot  programs  target  specific  financial 
institutions,"  Krebs  says. 

-Taylor  Armerding 


:::  Log  Rhythm 

The  Platform  for  Big  Data 
Security  Analytics. 


March  2013  www.csoonline.com  13 


www.  Log  R  hyth  m .  co  m 


SIEM  2.0 


14  www.csoonline.com  MARCH  2013 


Practical  strategies  for  identifying  your  company’s  real  tolerance  for  risk  by  david  geer 


IN  A  2012  CUSTOMER  SURVEY  CON- 
ducted  by  the  Corporate  Executive  Board 
(CEB),  70  percent  of  respondents  said  they 
do  not  have  a  formal  risk-appetite  approach 
in  place.  “Seventeen  percent  said  they  have 
something  in  place  that  is  actually  working,” 
confirms  Matt  Shinkman,  senior  director  of 
risk  management  research  and  advisory  at 
the  CEB. 

This  won't  come  as  a  surprise  to  CSOs  and 
CISOs.  Most  security  veterans  have  seen,  or 


directly  experienced,  instances  of  company 
leadership  nodding  absently  when  asked  to 
acknowledge  risks,  then  reacting  with  com¬ 
plete  surprise  when  a  negative  event  actually 
occurs.  Conversely,  many  security  experts  can 
also  recount  cases  where  the  company  was 
not  taking  on  enough  risk  to  achieve  its  ag¬ 
gressive  business  goals. 

It's  hard  to  implement  business-appropriate 
security  controls  without  a  clear  understanding 
of  how  much  risk,  and  what  kinds  of  risk,  the 


business  is  willing  to  accept.  The  solution  is  an 
accurate  formal  picture  of  risk  appetite.  Yet  it  is 
difficult,  at  best,  to  derive  accurate  risk-appe¬ 
tite  assessments.  CSOs  need  direct  participa¬ 
tion  from  other  C-level  executives  to  calculate 
risk  appetite  reliably. 

The  Roots  of  Risk-Appetite 
Misperception 

Many  organizations  believe  they  have  a  con¬ 
sensus  on  their  risk  appetite.  “From  the  com- 


What’s  Your  Appetite? 


Reuters/Juan  Carlos  Ulate 


Twice  the  virtualization. 

Lower  management  costs. 

None  of  the  compromises. 

You’ve  been  looking  for  IT  solutions  that  meet  the  increasingly  sophisticated  demands 
on  your  infrastructure.  IBM  Flex  System,™  featuring  Intel®  Xeon®  processors,  provides 
simplicity,  flexibility  and  control  in  a  system  that  doesn’t  require  compromise. 

It  supports  up  to  twice  the  number  of  virtual  machines  as  the  previous  generation  of 
blade  servers.1  And  IBM  Flex  System  Manager™  can  help  reduce  management  costs 
by  providing  visibility  and  control  of  all  physical  and  virtual  assets  from  a  single  vantage 
point.2 

You  can  select  individual  elements  and  integrate  them  yourself  or  with  the  support 
of  an  IBM  Business  Partner.  Or  you  can  choose  an  IBM  PureFlex™  System  and 
leverage  IBM’s  expert  integration  for  an  even  simpler  experience.  Learn  more  at 
ibm.com/systems/no_compromise 

Learn  why  Clabby  Analytics  says  IBM  Flex  System  is  the  best  blade  offering  in  the 
market.  Download  the  paper  at  ibm.com/systems/no_compromise 


1  Based  on  IBM  testing  and  documented  in  IBM  System  x®  Virtualization  Server  Consolidation  sizing  methodology.  IBM  Flex  System  x240  supports  27X  more  Peak  Utilization  Virtual  Machines  (VMs)  than 
previous  generation  BladeCenteh®  HS22V. 

2  Based  on  IDC  white  paper  “The  Economics  of  Virtualization:  Moving  Toward  an  Application-Based  Cost  Model,”  Michelle  Bailey,  November  2009,  http://www.vmware.com/files/pdf/Virtualization-application- 
based-cost-model-WP-EN.pdf 

Optional  IBM  Flex  System  storage  node  available  fourth  quarter  2012 

IBM,  the  IBM  logo,  System  x,  BladeCenter,  PureFlex  IBM  Flex  System  Manager  and  IBM  Flex  System  are  trademarks  or  registered  trademarks  of  International  Business  Machines  Corporation,  registered  in  many 
jurisdictions  worldwide.  Other  product  and  service  names  might  be  trademarks  of  IBM  or  other  companies.  For  a  current  list  of  IBM  trademarks,  see  www.ibm.com/legal/copytrade.shtml.  Intel,  the  Intel  logo, 
Xeon,  and  Xeon  Inside  are  trademarks  or  registered  trademarks  of  Intel  Corporation  in  the  U.S.  and/or  other  countries.  ©International  Business  Machines  Corporation  2013.  All  rights  reserved. 


Risk 


panies  we  work  with,  we  hear  that  while  they 
don’t  have  a  formal  risk  appetite,  they  know 
how  they  all  feel  about  it.  But  when  we  sit 
down  to  go  over  it  formally,  they  don't  all  see 
their  risk  appetite  the  same  as  much  as  they 
thought  they  did,”  explains  Shinkman. 

Jonny  Gray,  head  of  global  client  risk 
services  for  the  Americas  at  Control  Risks, 
suggests  that  the  competing  vantage  points 
of  the  stakeholders  formulating  the  risk  ap¬ 
petite  impede  the  process  of  developing  it. 
“People  have  different  risk  appetites  based  on 
role  and  responsibility.  Legal  has  a  different 
appetite  than  the  business  developers  do,” 
says  Gray. 

Gray’s  observations  come  from  workshops 
his  firm  leads  for  organizations  wanting  to  un¬ 
derstand  their  risk  appetites. 

“When  we  do  these  workshops,  two  things 
happen.  First,  the  people  sitting  around  the 
table  have  widely  differing  opinions  of  their 
company’s  risk  appetite.  Second,  risk  appe¬ 
tite  is  often  delegated  to  mid-level  manag¬ 
ers  rather  than  top  C-levels,”  says  Gray.  Since 
experts  confirm  that  C-level  executives  should 
be  at  the  table,  the  latter  observation  is  more 
disconcerting  than  the  former. 

Exposures,  Intended 
and  Unintended 

When  executives  do  not  have  a  clear  under¬ 
standing  of  their  risk  appetite  on  an  opera¬ 


tional  level,  their  companies  may  invest  in 
things  that  expose  their  organizations  to  risks 
the  executives  or  board  members  may  not 
be  willing  to  take,  according  to  Craig  Faris, 
principal  in  the  Americas  risk  transformation 
practice  at  Ernst  and  Young. 

There  is  unfortunately  no  shortage  of  ex¬ 
amples  of  such  cases.  Oil  companies  have 
invested  in  drilling  in  certain  areas  without 


taking  a  full  accounting  of  the  environmen¬ 
tal  risks  involved.  “In  the  Gulf  of  Mexico,  oil 
companies  knew  the  risk  existed,  but  these 
risks  exposed  and  damaged  their  brands.  If 
they  had  considered  the  actual  risk  level,  they 
could  have  said,  ‘No,  we  don’t  have  the  capac¬ 
ity  to  manage  that  risk,’  or,  ’Let’s  do  it  and 
increase  our  capacity  to  manage  that  risk,”’ 
says  Faris.  (See  the  Gulf  Oil  Spill  Tracker  for  an 
idea  of  the  frequency  of  these  events,  http:// 
oilspill.skytruth.org.) 

In  the  consumer  products  industry,  com¬ 
panies  release  products  without  thinking 
through  their  exposure.  One  examples  is  prod¬ 
ucts  that  are  intended  for  small  children  but 
that  pose  a  choking  hazard.  “Companies  often 
do  not  contemplate  their  risk,  which  can  go 
way  beyond  their  desired  appetite  to  include 
legal  risks,”  says  Faris. 

Companies  experience  risks  in  foreign  na¬ 
tions,  including  places  where  the  C-suite  the 
company  had  assets.  “We  help  clients  where 
their  people  have  been  kidnapped  and  the 
C-levels  did  not  know  they  had  people  in  that 
country.  There  is  a  misalignment  between  risk 
taking  and  risk  appetite,”  says  Gray. 

Gray’s  firm  addressed  an  expropriation 
issue  in  Venezuela,  where  President  Hugo 
Chavez's  government  had  nationalized  a  for¬ 
eign  business.  Executives  at  the  business’s  Eu¬ 
ropean  headquarters  were  surprised  that  they 
had  exposed  themselves  to  this  risk.  “The  fact 


that  these  organizations  are  unaware  they 
have  such  risk  suggests  a  breakdown  in  gover¬ 
nance  of  risk  management,”  Gray  says. 

There  are  cases  where  companies  discover 
that  their  risk  appetite  is  too  small.  “A  health¬ 
care  organization  had  a  CEO  who  felt  that  his 
company  was  too  conservative  and  that  his 
business  leaders  were  not  taking  full  advan¬ 
tage  of  the  opportunities  facing  their  indus¬ 


try,”  says  Shinkman.  In  this  instance,  the  CEO 
asked  internal  leadership  about  risk  appetite 
and  whether  the  company  was  taking  on 
enough  risk.  “In  the  end,  they  invested  more 
aggressively  into  another  line  of  business, 
using  an  increased  risk  appetite  to  seek  out 
greater  opportunity,”  says  Shinkman. 

In  another  instance,  Shinkman  relates,  a 
large  bank  grew  its  risk  appetite  after  ask¬ 
ing  itself,  How  do  we  want  to  run  the  busi¬ 
ness  and  what  do  we  want  our  portfolios  to 
look  like?  “When  the  bank’s  middle-eastern 
portfolio  took  a  big  loss,  the  bank  executives 
decided  they  were  comfortable  with  that  level 
of  risk,”  he  says. 

Articulating  and 
Addressing  Risk  Appetite 

To  articulate  risk  appetite,  the  CSO  should 
gather  the  company’s  strategic  ambitions  at 
the  highest  level.  “The  CSO  needs  to  deter¬ 
mine  the  risks  the  organization  must  take  to 
achieve  those  ambitions,  the  risks  that  are 
unacceptable,  and  the  risks  the  company  has 
to  take  as  a  part  of  executing  in  the  given 
market,”  says  Faris.  The  CSO  should  engage 
the  C-suite  and  the  board  in  making  these 
determinations. 

Gray  takes  stakeholders  through  the  risks 
associated  with  conducting  the  given  type 
of  business  using  a  risk  matrix.  “We  ask  them 
whether  a  given  exposure  to  risk  is  acceptable 
given  the  likelihood  and  severity  of  the  risk,” 
says  Gray.  Then  the  organization  can  decide 
how  to  address  the  risk. 

According  to  Gray,  at  this  stage  stakehold¬ 
ers  decide  whether  to  tolerate,  terminate,  treat 
or  transfer  the  risk.  If  the  risk  is  acceptable, 
the  company  will  not  do  anything  about  it.  If 
the  risk  has  changed  or  is  unacceptable,  the 
company  will  terminate  it  by  ceasing  those 
operations.  Teating  the  risk  means  reduc¬ 
ing  the  likelihood  or  impact  of  the  risk,  and 
transferring  the  risk  means  covering  it  through 
insurance. 

Risk  Frameworks 

Security  experts  identify  risk  frameworks  and 
methodologies  with  applications  for  ERM  and 
risk  appetite,  recommended  together  with  the 


“The  fact  that  these  organizations  are  unaware 
they  have  such  risk  suggests  a  breakdown 
in  governance  of  risk  management.” 

-JONNY  GRAY,  HEAD  OF  GLOBAL  CLIENT  RISK  SERVICES 
FOR  THE  AMERICAS,  CONTROL  RISKS 


16  www.csoonline.com  MARCH  2013 


mm  w  ,  m 


milestone 

The  Open  Platform  Company 


Conservation.  Protecting  the  wildlife  of  South  Africa’s  Kruger 
National  Park  from  poachers  was  once  an  impossible  challenge. 
But  today  the  park  uses  Milestone  XProtect®  Enterprise  and 
integrates  license  plate  recognition  to  track  poachers’ 
vehicles  from  one  central  location.  Proving  again 
that  Milestone  can  solve  problems 
that  are  more  than  security. 


Milestone  XProtect®  is  the  world’s  leading  IP  video  surveillance  management 
software  and  is  reliable,  future  proof  and  easy  to  use.  It  supports  the  widest  choice  in 
cameras  and  seamlessly  integrates  with  business  and  security  solutions  such  as  license 
plate  recognition.  Which  means  your  possibilities  are  unlimited  and  you  can  keep  your 
security  options  open. 

Discover  the  Power  of  Choice  and  the  new  ways  Milestone  Systems  U.S. 

to  use  XProtect  at:  www.milestonesys.com  Tel:  503  350  1100 


proprietary  methodologies  that  they  use  or 
see  organizations  using. 

“About  40  percent  of  the  companies  we 
work  with  base  their  ERM  on  COSO,  and 
another  40  percent  base  theirs  on  the  ISO 
31000.  The  other  20  percent  use  an  ad-hoc  or 
homegrown  approach,”  says  Shinkman. 

The  PricewaterhouseCoopers  Americas  Risk 
Transformation  Practice  uses  its  own  distilla¬ 
tion  of  industry  practices  rather  than  frame¬ 
works  to  guide  clients  to  improve  operational 
strategic  performance  by  measuring  their  op¬ 
erational  risk  appetite.  “Frameworks  are  not 
as  valuable  as  our  expertise  and  experience,” 
Faris  explains. 

“Because  we  need  a  global  methodology, 
we  have  our  own  standard  that  we  call  the 
Security  Risk  Assessment  Methodology  (our 
proprietary  approach),  which  draws  on  oth¬ 
ers,”  says  Gray.  Control  Risks'  methodology 
draws  on  a  number  of  security  frameworks 
from  around  the  world. 

Driving  Risk  Appetite 
Development  Home 

CSOs  should  get  commitment  to,  participation 
in  and  sign-off  from  the  C-suite  and  prefer¬ 
ably  the  board  as  well  when  constructing  a 
formal  risk  appetite. 


BLOG  POST 


Getting  the  Board  on  Board 


FOR  ENTERTAINMENT,  I  TROLL 
several  Linkedln  groups,  including  Enter¬ 
prise  Risk  Management.  (You  see  that  I 
have  a  strange  definition  of  entertain¬ 
ment.)  My  eye  recently  fell  on  a  lively 
discussion  about  a  paper  from  the  Insti¬ 
tute  of  Internal  Auditors  (IIA):  “The  Three 
Lines  of  Defense  in  Effective  Risk  Man¬ 
agement  and  Control." 

The  three  lines  of  defense  as  described 
in  the  IIA  paper  are:  operational  manag¬ 
ers,  risk  and  compliance  functions,  and 
assurance  (i.e.  audit).  Makes  sense  so  far. 

However,  Sean  Lyons,  principal  at  RISC 
International  (Ireland),  offered  a  mix  of 
praise  and  criticism  for  this  model. 

I  wanted  to  dig  into  Lyon’s  observa¬ 
tions  further,  and  we  had  this  email 
exchange. 

CSO:  First  of  all,  in  a  Linkedln  dis¬ 
cussion  you  say,  “from  a  responsibil¬ 
ity,  accountability  and  transparency 
perspective,  I  support  such  a  model.” 
Could  you  elaborate  on  this?  How 
does  this  model  help  deliver  on  those 
three  elements? 

Lyons:  It  is  my  experience  that  in 
many  organizations  there  can  be  a  certain 
lack  of  clarity  in  relation  to  the  roles  and 
responsibilities  of  the  three  lines  of  de- 

“For  a  lines-of- 
defense  model  to 
work,  there  needs 
to  be  accountability 
from  the  boardroom 
down  to  the 
shop  floor.” 

-SEAN  LYONS,  PRINCIPAL, 

RISC  INTERNATIONAL 


fense  described  in  the  paper.  For  example 
it  is  not  uncommon  for  “the  business”  and 
operational  management  (first  line  of  de¬ 
fense)  to  think  that  the  risk-management 
function  is  the  primary  owner  of  the  risks 
facing  the  organization  and  to  not  fully 
appreciate  or  acknowledge  their  own 
responsibility  in  this  regard.  It  is  also  not 
uncommon  to  see  the  second  line  of  de¬ 
fense  (e.g.  risk  management,  compliance, 
security)  operating  independently  in  silo- 
type  structures  rather  than  cohesively. 
Additionally,  the  internal  audit  function 
(third  line  of  defense)  is  often  seen  as  the 
gatekeeper  responsible  for  the  manage¬ 
ment  of  risk. 

This  type  of  confusion  among  the  dif¬ 
ferent  lines  of  defense  can  be  the  source 
of  disagreements  and  power  struggles. 
Ultimately,  such  lack  of  clarity  can  hinder 
the  organization  and  result  in  the  creation 
of  vulnerabilities,  which  diminish  the 
robustness  of  the  organization’s  overall 
defense  framework. 

Although  I  do  have  certain  reserva¬ 
tions  about  the  IIA  position  paper ,  it  does 
clearly  articulate  the  roles  and  respon¬ 
sibilities  of  each  of  the  three  lines  of  de¬ 
fense  and  how  they  can  contribute  to  an 
organization’s  defense  framework.  This 
can  assist  in  improving  issues  in  relation 
to  holding  each  of  these  lines  of  defense 
to  account,  which  would  help  ensure  that 
each  fulfills  its  defense  obligations  to  the 
organization  and  its  stakeholders. 

I  am,  however,  extremely  disappointed 
that  the  IIA  paper  has  not  recognized  the 
board  and  senior  management  as  equally 
critical  to  the  defense  framework.  I  have 
previously  highlighted  this  fundamental 
flaw  in  my  response  to  the  COSO  public 
draft  exposure  of  their  Internal  Controls 
Integrated  Framework,  of  which  the  IIA  is 
a  sponsoring  organization. 


18  www.csoonline.com  March  2013 


SA  logo,  and  the  EMC  logo  ore  registered  trademarks  or  trademarks  of 


the  United  States  and  other  countries.  ©  2013  EMC  Corporation.  All  rights  reserved. 


INTELLIGENCE 

DRIVEN  PERFORMANCE 

Driven  by  insight  and  risk-based  analytics  with  RSA®  Authentication  Manager  8.0. 
To  learn  more  visitwww.emc.com/am8 


Risk 


You  make  the  argument  that  these 
three  lines  of  defense  are  presented  in 
service  of  the  CEO  and  board,  but  the  CEO 
and  board  should  actually  function  as  ad¬ 
ditional  lines  of  defense  for  the  interests 
of  stakeholders.  So  five  lines,  not  three. 

What  practical  effect  would  that 
have?  How  might  a  company’s  behaviors 
change? 

In  my  view,  for  such  a  corporate  defense 
framework  to  operate  effectively  (like  many 
other  enterprisewide  programs)  the  impor¬ 
tant  starting  point  is  the  ownership  and 
buy-in  at  the  very  top  of  the  organization. 

The  tone  at  the  top  sets  the  tone  through¬ 
out  the  organization  and  will  determine  how 
seriously  it  is  viewed  by  the  business  and  the 
extent  to  which  such  an  approach  becomes 
embedded  within  the  corporate  culture  of  the 
organization. 

Excluding  these  two  lines  of  defense  from 
the  model  can  give  the  impression  that  they 
are  somehow  outside  the  defense  frame¬ 
work  and  therefore  do  not  have  skin  in  the 
game.  There  are  many  recent  examples  (e.g. 
JPMorgan  Chase’s  “Whale”  investigation) 
where  the  board  and  senior  management 
have  not  performed  appropriate  oversight 
over  the  other  three  lines  of  defense  and  in 
their  own  defense  have  actually  pleaded  igno¬ 
rance  of  the  activities  under  scrutiny.  For  a 
lines-of-defense  model  to  operate  effectively, 
there  needs  to  be  accountability  from  the 
boardroom  down  to  the  shop  floor. 

For  this  reason,  I  believe  the  five  lines  of 
defense  model  removes  the  opportunity 
for  the  board  and  senior  management  to 
abdicate  their  responsibilities  towards  their 
stakeholders,  and  the  adoption  of  such  an 
extended  model  will  help  ensure  that  all  lines 
of  defense  are  held  accountable  for  their 
obligations. 

I  recognize  you  are  not  speaking  for  the 
IIA  paper’s  authors.  But  it  interests  me 
that  security  is  never  explicitly  named  in 
this  paper.  I  see  “various  risk-manage¬ 
ment  and  compliance  functions,”  and 
examples  listed,  such  as  “health  and 
safety,  supply  chain,  environmental,  or 
quality  monitoring"  and  of  course  “inter¬ 


nal  controls.”  But  never  security.  For  good 
operational  risk  management,  it  seems 
necessary  for  all  these  groups  to  work  to¬ 
gether  closely.  But  that  cooperation  still 
lags.  In  your  experience,  is  the  security 
function  (or  functions)  a  blind  spot  for 
auditors  and  risk  managers?  if  they  want 
to  work  closely  with  the  security  func¬ 
tion,  wouldn’t  they  recognize  it  by  name? 

I  fully  agree  that  security  (physical  and 
information)  is  often  overlooked  in  this  type 
of  discussion.  Many  related  models  or  frame¬ 
works  (e.g.  ERM,  internal  controls,  and  gov¬ 
ernance,  risk  and  compliance  [GFC])  do  not 
specifically  address  the  importance  of  security 
in  the  overall  context  and  tend  to  place  se¬ 
curity  in  a  subordinate  role  to  many  of  these 
other  activities,  such  as  risk  management, 
compliance  and  assurance. 

I  would  however  suggest  that  this  is  a  chal¬ 
lenge  that  needs  to  be  proactively  addressed 
by  the  security  community  rather  than  relying 
on  other  functions  to  recognize  the  impor¬ 
tance  of  security. 

I  personally  believe  that  security  is  a  criti¬ 
cal  element  of  corporate  defense  and  is  an 
important  topic  which  needs  to  be  elevated 
to  the  C-suite  level  and  beyond  to  the  cor¬ 
porate  boardroom  agenda.  I  have  addressed 
this  issue  in  more  detail  in  my  Conference 
Board  paper  entitled  “Security  as  a  Critical 


-SEAN  LYONS,  RISC  INTERNATIONAL 

Component  of  Corporate  Defense,”  which  was 
sponsored  by  the  Department  of  Flomeland 
Security  as  part  of  their  ongoing  project  to 
assess  security  risk  exposure  and  business 
preparedness  in  the  private  sector.  (View  the 
paper  at:  http://papers.ssrn.com/sol3/papers. 
cfm?abstractjd=1635918 ) 

Security  management  is  a  critical  element 


of  the  second  line  of  defense,  which  includes 
the  management  of  other  critical  components 
such  as  GRC,  intelligence,  resilience,  controls 
and  assurance.  The  second  line  of  defense  is 
constantly  evolving,  and  numerous  develop¬ 
ments  have  been  occurring  here  recently.  It 
would  appear  that  each  of  these  components 
is  now  beginning  to  morph  with  each  of  the 
other  components,  and  it  is  becoming  increas¬ 
ingly  difficult  to  determine  where  one  compo¬ 
nent  ends  and  another  begins. 

I  have  addressed  these  developments  in 
more  detail  in  my  paper  “The  Changing  Face 
of  Corporate  Defence  in  the  21st  Century.” 
(View  the  paper  at:  http://papers.ssrn.com/ 
sol3/papers.cfm?abstract_id=1288732 ) 

In  my  opinion,  in  order  to  help  ensure  that 
a  security  focus  is  represented  at  the  C-suite 
level,  CSOs  (with  the  assistance  of  the  various 
security  representative  bodies)  will  need  to 
adapt  from  a  siloed  view  of  security  and  learn 
to  integrate  security  with  the  other  second- 
line-of-defense  components.  This  will  require 
CSOs  to  broaden  their  horizons  and  improve 
the  organization’s  perception  of  the  added 
value  of  security.  This  will  require  focusing  on 
security’s  intangible  as  well  as  its  tangible 
value.  Ultimately,  this  added  value  needs  to 
be  in  alignment  with,  and  complement,  over¬ 
all  corporate  strategy. 

I  believe  this  represents  a  great  opportu¬ 


nity  for  those  security  professionals  who  are 
flexible  and  adaptable  enough  to  stretch 
outside  the  traditional  security  boundaries 
and  are  capable  of  applying  their  considerable 
experience  and  expertise  in  a  more  strategic 
and  tactical  manner  in  order  to  become  more 
closely  aligned  to  the  organization’s  business 
strategy. 


“Confusion  among  the  different  lines  of 
defense  can  be  the  source  of  ongoing 
disagreements  and  power  struggles. 
Ultimately  such  lack  of  clarity  can...result 
in  the  creation  of  vulnerabilities.” 


zo  www.csoonline.com  March  2013 


m 


CSO40 

SECURITYCONFAB+AWARDS 


Defining  the  Future 
of  Security  and  Risk 


iff 


April  2-3, 2013 
Chateau  Elan 
Braselton,  Georgia 


i.rs 


Network  with  Peers 

Interact  and  collaborate  with  fellow  security 
decision-makers  and  discover  new  solutions 
to  ongoing  security  issues. 

Transform  your  Strategies 

Learn  from  leading  CSOs/CISOs  on  how  they 
are  embracing  today’s  security  challenges  and 
preparing  for  the  future. 

Celebrate  Security  Innovation 

Gather  with  CSO40  Award  honorees  for  an  awards 
ceremony  and  celebratory  dinner  recognizing  the 
added  business  value  that  their  security  projects 
and  initiatives  created. 


CURRENT  SPONSORS: 

Accellion  ^ 

welt  sense 


n  c  i  p  c  I  e° 

0  Qualys* 
Quantum. 


SOLUTIONARY 

Relevant  |  Intelligent  |  Security 

iHTM73 

/ormetric 

<§)  WatchDox 

<^zsca!er 

Secure.  Everywhere. 

•ASTECH 

'consulting 

:::  Log  Rhythm 

(T)titus 

Kv  wombat 

VW7  security  technologies 

Change  Behavor.  Reduce  Risk. 


REGISTER  TODAY: 

Visit  http://www.csoconfab.com/2013/Register 

for  more  information. 


PRODUCED  BY 

cso 


LEADERSHIP  STRATEGY  MANAGEMENT  SKILLS  CAREER 


The  Hot  Security  Skills  of  2013 

We  asked,  experts  answered:  Here’s  what  you  need  to  know  to  stay  marketable  by  lauren  gibbons  paul 


MOST  SUCCESSFUL  CSOS  WILL  TELL 
you  it  was  a  unique  mix  of  skills  that  propelled 
them  to  their  current  position.  Technical  back¬ 
ground  is  important,  certainly,  but  practice  in 
the  business  and  excellence  in  communication 
are  paramount  for  any  CSO  truly  worthy  of  a 
place  in  the  C-suite.  We  don’t  expect  that  to 
change  any  time  soon. 

But  every  few  years,  a  few  super-hot  skills 
get  added  to  the  mix,  ones  that  will  make  you 
even  more  attractive  (to  your  company  and  to 
future  employers)  and  keep  you  on  top  of  your 
game.  You  may  need  to  bring  in  some  of  these 
skills  by  maintaining  a  well-rounded  staff, 
rather  than  by  acquiring  them  yourself. 

Here  are  the  skills  that  our  sources  say  are 
among  the  most  important  right  now. 

Diverse  technology  experience.  Famil¬ 
iarity  with  both  information-  and  physical- 
security  technologies  is  important  at  the 
highest  rung  of  the  security  ladder,  according 
to  Carl  Young,  CSO  of  Stroz  Friedberg,  a  global 
digital-risk-management  and  investigations 
firm.  The  increasing  interdependence  between 
these  areas  demands  a  broad  perspective  on 
risk  management. 

Ability  to  anticipate  needs.  By  under¬ 
standing  the  needs  of  the  industry  and  keep¬ 
ing  on  top  of  new  technologies  and  threats, 
good  CSOs  can  identify  the  special  skills  and 
expertise  (such  as  analytics  expertise  or  a 
specialty  in  malware)  needed  in  their  new 
hires  on  both  the  information-  and  physical- 
security  fronts,  says  Young. 

Fluency  in  the  IT  side  of  physical  se¬ 
curity.  Tom  Verzuh,  president  of  recruiting 
firm  SCW  Consulting,  is  seeing  great  demand 


for  physical-security  professionals  who  are 
fluent  in  technology,  especially  digital-video 
software  management  and  analytics.  Brent 
O’Bryan,  vice  president  at  AlliedBarton  Se¬ 
curity  Services,  confirms  his  firm  is  hiring 
professionals  who  have  experience  in  the  con¬ 
vergence  of  physical  and  information  security. 

Many,  if  not  all,  of  the  devices  used  in  phys¬ 
ical  security  today  (including  smartphones 


and  digital-video  surveillance  systems) 
produce  loads  of  data.  Making  sense  of  that 
sea  of  data  requires  special  expertise,  which 
is  highly  in  demand  right  now.  “The  way  to 
increase  your  value  as  a  physical  security  pro¬ 
fessional  is  to  invest  in  learning  the  world  of  IP 
networking  and  Microsoft  server  technologies 
and  data  analytics  solutions,"  says  Charles 
Foley,  chairman  and  CEO  of  Watchful  Soft- 


22  www.csoonline.com  MARCH  2013 


iStockphoto 


CSO’s  e-Mail  Newsletters 


Keep  Up  To  Speed 

On  the  Security  Issues  Important  to  You 
Delivered  right  to  your  desktop 

|7|  CSO  Update 

A  look  at  the  latest  security  news  and  analysis  on 
CSOonline.com,  delivered  twice  a  week. 

|~7|  CSO  Salted  Hash 

IT  security  news  and  analysis,  over  easy,  delivered  daily. 

|~7j  CSO  News  Watch 

A  recap  of  the  week’s  top  news  stories. 

[7j  CSO  Career 

A  twice-monthly  newsletter  of  career  and  leadership- 
oriented  news,  articles  and  events  plus  job  postings. 

j~7j  CSO  Tech  Watch 

Twice-monthly  update  on  technologies  for  protecting  networks,  facilities, 
employees,  intellectual  property  and  more. 

r7j  CSO  Security  Leader 

Monthly  leadership-related  articles  and  reports  from  CSO,  as  well  as  tips 
for  educating  employees  and  corporate  leadership. 

j~7j  CSO  Continuity  &  Recovery 

A  twice-monthly  review  of  published  material  concerning 
business  continuity  and  disaster  recovery. 

|~7j  Security  Research  &  Metrics 

A  monthly  roundup  of  useful  security  research,  benchmarks  and  statistics. 

Sign  up  now  for  CSO’s 
complimentary  e-mail  newsletters 
www.CSOonline.com/newsletters 


CSO 

BUSINESS  RISK  LEADERSHIP 


Lead 


ware.  “Security  pros  that  know  these 
two  areas  will  be  able  to  spearhead 
their  companies’  efforts  to  streamline 
costs,  increase  value  delivered,  and  will 
literally  sell  information  collected  to  the 
rest  of  the  organization.” 

Advanced  data-protection  ex¬ 
pertise.  Hardening  the  perimeter  is 
good  basic  hygiene,  but  it  is  no  longer 
enough.  Information-protection  skills 
are  in  great  demand,  according  to 
Foley-in  particular,  knowledge  of  data- 
centric  technologies  such  as  enterprise 
rights  management,  multilevel  security 
models,  data  classification  techniques 
and  biometrics. 

"This  is  why  you  see  increasing 
numbers  of  courses  and  certifications. 

Familiarity 
with  both 
information-  and 
physical-security 
technologies 
is  important 
at  the  highest 
rung  of  the 
security  ladder. 

-CARL  YOUNG,  CSO, 

STROZ  FRIEDBERG 

The  skills  to  approach  the  business 
problem,  lay  out  coherent  strategies 
that  are  digestible  to  the  common 
user,  and  set  forth  tactical  deployment 
plans  are  extremely  difficult  to  find,” 
says  Foley 

Business  and  financial  acumen. 

Sought-after  CSOs  understand  the  key 
business  lines  in  their  respective  orga¬ 
nizations  and  the  impact  of  security  on 
a  company’s  bottom  line,  says  Young. 
This  understanding  is  also  important 
for  recognizing  where  potential  vulner¬ 
abilities  might  lie  within  the  organiza¬ 


tion,  such  as  with  outsourced  services  or 
data,  or  lines  of  business  that  are  popu¬ 
lar  targets  for  cyberattacks. 

CSOs  that  have  an  advanced  busi¬ 
ness  degree  such  as  an  MBA  are  always 
going  to  be  that  much  more  desirable 
than  those  who  do  not,  according  to 
Jerry  Irvine,  CIO  of  IT  outsourcing  com¬ 
pany  Prescient  Solutions  and  a  member 
of  the  National  Cyber  Security  Task 
Force.  “From  the  standpoint  of  being 
able  to  understand  business  drivers, 
strategic  planning,  understanding  the 
mission  and  vision,  CSOs  must  have 
business  experience.  If  they’re  going 
into  large  multinational  corporations, 
that  will  probably  require  an  MBA  or  a 
degree  in  business  administration,”  says 
Irvine.  Technical  certifications  such  as 
CISM,  CISSP,  CRISK  and  CTBIT  are  help¬ 
ful,  but  CSOs  need  to  prove  they  have  a 
grounding  in  business-risk  analysis. 

Good  communications  skills.  It 
will  always  be  extremely  important  to 
be  able  to  communicate  with  diverse 
audiences,  says  Young.  Not  only  must 
CSOs  make  complex  security  issues  un¬ 
derstandable  to  the  enterprise  at  large, 
they  must  also  make  it  clear  how  im¬ 
portant  security  risk,  particularly  digital 
risk  management,  is  to  the  executive 
suite’s  agenda.  David  Luzzi,  executive 
director  of  Northeastern  University’s 
Strategic  Security  Initiative,  adds  logi¬ 
cal  reasoning  and  the  ability  to  inspect 
ideas  as  important  skills  to  build  on  the 
foundation  of  excellent  verbal  and  writ¬ 
ten  communication  skills. 

Adaptability.  David  Frymier,  CSO  at 
Unisys,  has  more  than  three  decades  of 
experience  in  IT,  with  much  of  his  recent 
years  devoted  to  information  security. 
Frymier  is  not  inclined  to  get  a  certifica¬ 
tion  or  an  MBA  to  make  himself  more 
attractive  at  this  point  in  his  career.  His 
take  on  one  of  the  top  skills  to  have 
today?  “The  ability  to  self-teach  is  a 
given,"  says  Frymier.  “As  fast  as  things 
change,  you  have  to  be  able  to  teach 
yourself  how  to  do  new  things.” 


SOCIAL  SECURITY 


Ghostery  does  a  pretty 
good  job  of  letting  me 
know  about  tracking 
cookies.  But  it  also  does 
a  pretty  good  job  of 
crashing  my  browser. 

-Andrew  Jaquith,  @arj 


Love  how  cynical  folk 
in  this  industry  are. 
Leadership  finally 
acknowledges  a  problem 
on  a  big  scale,  but  most 
of  what  I  see  is  grumbling 
over  “cyber.” 

-Wesley  McGrew,  @McGrewSecurity 


The  privacy-destroying 
cyber  bill  CISPA  has 
returned  to  Congress  for 
debate,  and  it’s  just  as 
horrible  as  before. 

-Trevor  Timm,  @trevortimm 


If  I'm  a  large  corp.,  could 
I  set  up  phishing  targets 
that  go  directly  to 
antivirus  companies...so 
AV  companies  can  thwart 
even  targeted  phishing? 

-Robert  David  Graham,  @ErrataRob 


24  www.csoonline.com  MARCH  2013 


Want  to  be 
in  the  know 
about  the 
latest 
security 
topics  and 
trends? 


Become  a  CSO 

You’ll  gain  exclusive  access  to  premium 
content  and  resources,  including: 

■  What  to  buy.  In-depth  reviews  of  security 
and  IT  solutions 


■  Executive  and  Peer  Interviews  and  Insights. 
Deep  dives  with  the  industry’s  top  thinkers 

■  Practical  tips.  How-to  articles  for  security 
and  IT  professionals 

■  Exclusive  research  &  analysis.  Incisive  reports, 
case  studies,  and  more 

■  How  to  get  ahead.  Career  advice  from  industry 
experts  and  peers 

■  Invitations  to  select  events.  Get  the  inside  edge 


To  register  for  Insider  exclusive  content  visit: 

www.csoonline.com/insiders/index 


■  Lead 


Joan  Goodchitd,  Senior  Editor 
igoodchild@cxo.com:  Twitter:  @msjoanieg 


Are  You  Reactive  When  You  Should  be  Proactive? 


CHARLES  RENERT,  VICE  PRESIDENT  OF  RESEARCH 
and  development  for  Websense  Security  Labs,  stopped  by  CSO’s 
headquarters  last  month  to  talk  about  a  threat-landscape  re¬ 
port  his  company  will  release  soon.  While  he  was  here,  I  asked 
him  about  what  he  says  is  a  continued  emphasis  on  reactionary 
security  among  many  organizations  and  security  leaders. 

“A  lot  of  the  companies  I  talk  to  don’t  make  a  proactive  in¬ 
vestment,”  Renert  told  me.  “They  wait  to  be  attacked,  then  put 
measures  in  place.  But  in  the  heat  of  the  battle,  you  aren’t  going 
to  have  good  security  architecture  in  place.” 

When  explaining  why  he  thought  being  proactive  would  pro¬ 
duce  better  results,  Renert  made  this  interesting  point:  “Proac¬ 
tivity  helps  you  understand  how  the  attackers  work.  When  you 
put  your  mind  into  the  framework  an  attacker  works  from,  you 
see  the  kind  of  opportunities  they  look  for.” 

As  you  know,  hackers  are  primarily  seeking  financial  gain 
these  days.  But  the  fact  that  attacks  share  a  common  motive 
does  nothing  to  limit  the  number  of  forms  they  can  take,  such 
as  theft  of  intellectual  property,  invading  an  employee’s  privacy 
to  extract  key  data,  or  defacing  your  website  or  other  aspects  of 
your  brand  because  the  hackers  are  working  for  an  entity  that 
wants  to  sully  your  company’s  reputation. 


Hackers  have  started  targeting  their  victims  much  more  nar¬ 
rowly,  and  they  are  now  more  likely  to  build  a  long-term  attack 
in  hopes  that  their  efforts  will  pay  off  with  a  big  win  in  the  end, 
says  Renert.  But  security  leaders  at  many  organizations  still 
aren’t  paying  enough  attention. 

One  thing  that’s  distracting  them,  says  Renert,  is  the  con¬ 
stant  headlines  about  hacks  of  sites  like  Twitter  and  Facebook, 
which  get  a  lot  of  tongues  wagging  but  don’t  really  represent 
the  kind  of  threats  an  enterprise  needs  to  guard  against. 

“A  security  executive  will  call  me  and  say  ‘Twitter  was  hacked 
again.  What  can  I  do  to  protect  my  users?”’ 

While  the  question  is  well-meaning,  Renert  thinks  the  em¬ 
phasis  on  these  high-profile  threats  is  misplaced,  and  all  organi¬ 
zations  should  re-examine  their  internal  controls  to  ensure  their 
security  protects  against  the  kind  of  attacks  they’re  really  up 
against— which  can  be  going  on  silently,  in  the  background,  un¬ 
detected  for  years. 

“The  punch  line  for  CSOs  is  that  the  controls  that  have  been 
deployed,  and  the  way  CSOs  think  about  security  doesn’t  always 
reflect  the  reality  of  the  threat  landscape  today,”  he  says. 

Do  you  agree  with  Renert’s  assessment?  is  your  security  pos¬ 
ture  proactive  or  reactive? 


26  www.csoonline.com  March  2013 


REUTERS/Brian  Snyder 


MARKETPLACE 


Systems  Administrator  (Chantilly)  VA: 

Configure,  and  test  computer  hardware, 
networking  software  and  operating 
system  software.  Apply  in  duplicate 
to  Pretek  Corporation,  43684  Gladehi  1 1 
Ct.,  Chantilly,  VA  20152. 


Stay  Alert  with 

the  CSO  Daily  Dashboard 

visit  http://dashboard.csoonline.com 

CSO 


Personalized  IT  newsletters 
from  Tech  Dispenser. 

You  pick  the  topics.  You  pick  the  sources.  You  pick  the  frequency. 

Build  your  own  newsletter  featuring  your  favorite  technology 
topics  —  cloud  computing,  application  development,  security  — 
over  200  timely  topics,  from  more  than  700  trusted  sources. 


Get  started  today.  It's  free. 
www.techdispenser.com 


TECH  Q  DISPENSER 


Disturbingly  personal  newsletters 


CSO  Forum  on  Linked  O. 

Share  best  practices  and  insight  and 
discuss  your  challenges  with  your 
security  executive  peers. 

The  CSO  Forum  is  where  members  of  the  security 
community  can  connect  and  collaborate  to  move  their 
security  and  technology  initiatives  and  careers  forward. 
If  you  are  a  senior  security  or  IT  professional,  we'd  love 


to  have  you  join— apply  for  membership  today. 

www.CSOonline.com/linkedin 


March  2013  www.csoonlme.com  n 


Lead 


5  Tough  Interview  Questions 
(and  Tips  on  the  Best  Ways 
to  Answer  Them) 


ERIC  COWPERTHWAITE,  CSO  AT 
Providence  Health  and  Services,  doesn't 
care  how  great  a  job  candidate's  credentials 
and  experience  look  on  paper.  He  wants  to 
see  what  kind  of  impression  they  make  on 
his  team. 

“It  doesn’t  matter  how  much  I  like  you  or 
how  impressed  I  am  by  your  skills.  Show  up 
and  rub  the  team  the  wrong  way,  that’s  the 
end  of  the  line.” 

That’s  why  when  Cowperthwaite  is  vetting 
candidates  for  the  security  department  at 
Providence,  a  nonprofit  Catholic  health¬ 
care  services  organization,  he  has  every  one 
of  them  meet  with  the  team  they  will  be 
working  with  before  they  get  to  sit  down  with 
him.  He  believes  their  impression  is  what 
matters  most. 

“It  costs  a  lot  in  terms  of  team  dynamics 
and  effort  and  work  that  goes  undone  if  you 
bring  someone  in  that  doesn't  fit,”  says  Cow¬ 
perthwaite.  “If  someone  doesn’t  fit,  you  have 
to  start  all  over  again  in  six  months  and  hire 
someone  else.” 

It’s  fair  to  say  that  those  fortunate  job  can¬ 
didates  who  do  get  an  interview  with  Cow¬ 
perthwaite  have  proven  themselves  to  a  large 
extent  before  they  even  sit  down  with  him. 

But  he  still  has  three  important  questions  he 
wants  to  ask. 

1.  How  do  you  collaborate? 

Cowperthwaite  asks  this  to  gauge  a  can¬ 
didate’s  attitude.  Are  they  easy  to  get  along 
with?  Or  do  they  adopt  an  l’m-in-charge  at¬ 
titude  when  working  with  other  team  members 
or  people  outside  of  security? 

"It's  a  pretty  open-ended  question,”  says 
Cowperthwaite.  “I  want  to  know:  how  do 
they  build  teams?  What  is  their  approach 


“I  had  one  candidate 
tell  me  they  were 
applying  for  the  job 
because  it  would  solve 
their  commute  and 
toll  problems.  Call  me 
crazy,  but  those  don’t 
seem  like  reasons  why 
I  should  hire  you.” 

-ERIC  COWPERTHWAITE, 

CSO,  PROVIDENCE  HEALTH 
AND  SERVICES 


to  working  with  others?  Probably  the  most 
common  thing  I  run  into  is  folks  whose  ap¬ 
proach  to  collaboration  is  to  try  to  force  team¬ 
work  from  a  position  of  assumed  authority. 
They  show  up  and  say  ’I’m  from  security  and 
we  are  running  a  security  project  and  I  need  you 
todoX,  Yand  Z.’” 

This  kind  of  answer  rubs  Cowperthwaite 
the  wrong  way.  That  is  not  how  he  wants  his 
team  to  collaborate  with  others.  Instead,  he’d 
rather  hear  that  the  candidate  has  a  skill  in 
team-building  that  helps  them  approach  oth¬ 
ers  in  a  less  abrasive  manner. 

“The  better  answer  is:  ‘I  sit  down  with  them 
and  explain  what  my  needs  are  and  ask  if  they 
can  help.’  That’s  a  far  better  answer.” 

2.  Why  do  you  want  this  job? 

"Whether  they  are  employed  or  unem¬ 
ployed,  I’m  curious,”  says  Cowperthwaite. 
“While  I  happen  to  think  working  in  my  orga¬ 
nization  is  a  great  thing,  I’m  curious  what  at¬ 
tracts  them  to  the  job.” 

For  obvious  reasons,  Cowperthwaite 
says  this  can  help  weed  out  the  frequent 
job  jumpers  simply  looking  for  a  short-term 
opportunity  to  improve  their  credentials  on 
their  resume. 

“I  like  the  idea  of  people  who  are  commit¬ 
ted  to  doing  great  security  work  and  being 
part  of  a  team  and  contributing  to  my  corpo¬ 
rate  mission  and  culture,”  he  says. 

He’s  also  received  many  bizarre  answers. 

“I  had  one  candidate  tell  me  they  were 
applying  for  the  job  because  it  would  solve 
their  commute  and  toll  problems.  Call  me 
crazy,  but  those  don’t  seem  like  reasons  why 
I  should  hire  you.  At  no  point  did  they  tell  me 
they  were  excited  to  be  part  of  my  team  and 
to  do  great  information-security  work." 


28  www.csoonline.com  March  2013 


3.  What  questions  do  you  have  for  me? 

Cowperthwaite  likes  this  other  open-ended 
question  because  it  also  offers  him  a  lot  of 
insight  into  the  job-seeker’s  motivations  for 
wanting  the  job. 

“If  you're  wanting  to  know  about  pay,  ben¬ 
efits  and  promotions,  that's  a  red  flag.  I’m  not 
the  guy  to  ask  those  questions.  I’m  the  guy  to 
ask  about  the  mission  of  the  security  depart¬ 
ment.  How  do  we  go  about  accomplishment? 
What  are  the  opportunities  to  learn  within  the 
company?  I  want  to  hear:  ‘What  do  you  envi¬ 
sion  my  role  to  be  and  how  I  can  contribute  to 
the  mission  of  this  company?’  Those  are  all 
questions  I  like  to  hear." 

Cowperthwaite  also  noted  the  way  the  in¬ 
terviewee  asks  the  questions  gives  him  some 
further  idea  on  how  they  might  work. 

"Someone  who  is  looking  for  indepen¬ 
dence  and  broad  boundaries  when  they  ask 
these  questions  also  tend  to  be  people  who 
are  very  motivated,  committed  and  strategic 
contributors.” 

TOP-LEVEL  HIRING 

Daniel  Kennedy,  research  director  for  informa¬ 
tion  security  and  networking  at  ThelnfoPro,  a 
division  of  451  Research,  previously  inter¬ 
viewed  security  job  candidates  as  the  global 
head  of  information  security  for  D.B.  Zwirn 
and  Co.,  and  as  development  manager  and 
vice  president  of  application  security  at  Persh¬ 
ing,  a  division  of  the  Bank  of  New  York. 

Kennedy's  style  of  questioning  is  a  bit 
more  pointed  than  Cowperthwaite’s,  but  that 
also  makes  it  more  appropriate  for  hiring  at 
the  top  level— for  executive  positions  such  as 
CSO  and  CISO.  He  offered  these  two  favorite 
questions. 

1.  How  will  you  earn  and  keep  your 
seat  at  the  table  with  other  senior 
executives? 

Kennedy  says  he  likes  to  ask  this  question 
because  it  tells  the  interviewer  about  the  pro¬ 
spective  security  manager’s  ability  to  remain 
relevant  to  an  organization. 

“Too  often  the  CISO  is  buried  in  the  com¬ 
pany’s  organizational  structure,  in  too  junior  a 
role,  an  acknowledgment  that  as  a  company 
we  need  a  CISO  to  keep  up  appearances,  but 


“The  fact  is  most  large 
companies  have  a  lot 
of  moving  parts  that 
must  be  accessed 
to  get  anything 
done,  and  a  CISO 
must  be  an  effective 
project  manager.” 

-DANIEL  KENNEDY, 

RESEARCH  DIRECTOR  FOR 
INFORMATION  SECURITY  AND 
NETWORKING,  451  RESEARCH 


not  exactly  a  vote  of  confidence  in  the  CISO’s 
ability  to  make  an  impact  on  the  corporate 
DNA  to  improve  security.” 

While  he  notes  there  is  no  one  right  answer 
to  this  question,  there  are  a  number  of  wrong 
answers  that  reveal  the  interviewee  has  no 
strategic  plan,  or  no  experience  talking  to  se¬ 
nior  managers. 

“The  CISO  position  is  a  strategic  one.  There 
is  a  strong  technical  component,  but  a  CISO 
must  be  able  to  communicate  an  ongoing  vi¬ 
sion  for  security  within  a  company  early  and 
often.  It  isn’t  easy;  it  means  getting  invited  to 
the  right  steering  meetings,  maintaining  the 
confidence  of  fellow  senior  managers,  and 
speaking  in  a  language  that  informs  those 
without  a  security  background  without  over¬ 
whelming  [them]." 

2.  What  are  ways  you’ve  prioritized 
and  shepherded  information-security 
projects  at  other  companies  you’ve  been 
with? 

Kennedy  says  this  question  gives  him  some 
perspective  on  a  candidate’s  record  of  success 
in  past  positions. 

“The  fact  is  most  large  companies  have  a 
lot  of  moving  parts  that  must  be  accessed  to 
get  anything  done,  and  a  CISO  must  be  an  ef¬ 
fective  project  manager,  able  to  tap  into  and 
motivate  resources  they  don't  always  organi¬ 
zationally  ‘own,’”  he  says. 

“If  someone  responds  that  their  job  was 
only  to  recommend  a  course  of  action  or  to 
write  policies  without  follow-through,  I  view 
that  as  a  possible  warning  sign  of  someone 
who  isn’t  looking  to  make  a  difference  in  the 
corporate  culture,  but  would  rather  work  on 
their  own  and  isn’t  particularly  concerned 
with  the  actual  posture  of  security  at  their 
company  as  long  as  they  remain  employed 
and  are  asked  what  they  think  now  and  then. 
On  the  other  hand,  responses  that  talk  about 
developing  requirements  with  business  units, 
presenting  potential  cost  savings  to  project 
steering  committees,  or  working  closely  with 
the  compliance/audit  [group]  to  resolve 
security  deficiencies  indicates  some  level  of 
experience  in  working  through  the  political 
landscapes  of  large  organizations." 

-Joan  Goodchild 


March  2013  www.csoonline.com  29 


Cover  Story 


A  Winning 

Strategy 

How  one  CSO  is  unifying  the  security  programs  in  a 
bustling  Midwestern  city  By  George  V.  Hulme 


DURING  THE  2007  HOUSING  CRISIS,  COLUMBUS,  OHIO— LIKE  MOST 
municipalities— faced  significant  tax  shortfalls  and  revenue  constraints.  That  year  was  also  marked 
by  security  events — on  the  physical  security  side,  the  Department  of  Homeland  Security  com¬ 
pleted  its  Sector-Specific  Plans  for  critical  infrastructure  protection.  On  the  IT  side,  public  and 
private-sector  organizations  faced  phishing  attacks  focused  on  stealing  sensitive  information  and 
intellectual  property. 


That  was  the  environment  when 
Miki  Calero  joined  the  City  of  Colum¬ 
bus  as  CSO. 

He  immediately  got  to  work  improv¬ 
ing  the  city’s  ability  to  manage  risk  to 
physical  and  IT  assets  by  more  tightly 
integrating  security.  Early  his  first 
morning,  as  he  picked  up  his  ID  badge, 
he  spoke  to  the  facilities  security  man¬ 
ager  about  which  physical  access  data¬ 


bases  could  be  unified  first.  Six  years 
in,  the  implementation  of  an  enterprise 
security  risk  management  (ESRM) 
program  has  improved  security  across 
the  city,  ensuring  Columbus  complies 
with  seven  sets  of  regulations  and 
streamlining  costs  by  combining  exist¬ 
ing  security  and  technology  invest¬ 
ments  with  increased  efficiencies. 

That’s  no  small  accomplishment 


for  a  city  the  size  of  Columbus.  With 
roughly  790,000  residents,  it’s  the 
I5th-largest  city  in  the  United  States, 
covering  217  square  miles  and  incor¬ 
porating  more  than  200  government 
facilities  dealing  with  permits,  taxes, 
telecommunications  and  critical  infra¬ 
structure  for  IT  and  utilities. 

This  is  the  story  of  how  Calero  and 
his  team  are  pulling  it  off. 


30  www.csoonline.com  MARCH  2013 


Photography  by  Stephen  Webster 


Miki  Calero,  CSO  of  the 
City  of  Columbus,  Ohio 


Cover  Story 


Early  Challenges 

Before  the  ESRM  program  was  put 
in  place,  IT  security  was  handled  by  a 
couple  of  analysts  and  by  server  admin¬ 
istrators  and  network  engineers,  all  of 
whom  had  many  other  responsibilities. 

As  at  most  organizations  back  then, 
and  many  still  today,  the  work  of  secur¬ 
ing  IT  systems  was  getting  done,  but 
without  unified  authority.  That  likely 
left  gaps  in  protection  that  could  have 
proven  costly. 

The  highest  reporting  level  for  IT 
security  was  a  manager,  and  the  ana¬ 
lysts  “were  primarily  focused  on  run¬ 
ning  antivirus,  monitoring  and  filtering 
Web  content,  reviewing  requests  for 
system  and  network  accounts,  and 
similar  operational  responsibilities,” 
C  alero  says.  Each  IT  group  had  its  own 
budget,  which  made  it  difficult  to  plan 
and  control  security  costs. 

Physical  security  needs  were  defined 
by  individual  agencies,  each  managing 


their  own  access-control  systems  and 
surveillance  cameras,  using  tools  and 
equipment  bought  at  different  times 
from  different  vendors,  and  paid  for 
by  multiple  sources.  There  were  no 
standards  for  the  tools  and  equipment, 
no  security  project  coordination  or 
strategy  to  converge  with  IT  security. 

“I  have  a  strong  view  that  physi¬ 
cal  and  cyber  security  risk  need  to  be 
managed  holistically,”  Calero  says,  so 
before  he  would  agree  to  take  the  posi¬ 
tion,  he  made  sure  the  title  was  CSO, 
not  CISO.  He  wanted  to  make  sure  he 
could  take  a  convergence  approach  to 
security,  which  involves  pursuing  a 
comprehensive  security  strategy  and 
a  supporting  project  to  implement  the 
ESRM  program. 

Columbus  city  leadership  took  its 
first  step  toward  ESRM  by  funding 
the  capital  improvement  project  for 
its  implementation.  This  multiyear 
endeavor  is  bolstering  security  already 


This  $500,000  command  center,  finished  in 
2010,  is  staffed  by  up  to  20  people.  Should 
an  event  trigger  an  alarm,  footage  from  the 
appropriate  video  camera  is  displayed. 

in  place,  upgrading  capabilities,  add¬ 
ing  capacity,  and  laying  foundational 
elements  for  unifying  security  for  tele¬ 
communications,  cyber  and  physical 
assets,  and  critical  infrastructure  and 
industrial-control  systems.  At  the 
same  time,  the  city  formed  its  official 
ESRM  group,  which  is  in  charge  of 
security  risk  management  and  regula¬ 
tory  compliance. 

Realizing  the  Vision 

Shortly  after  he  was  hired,  Calero  was 
invited  to  give  a  presentation  to  the 
city  cabinet  as  a  way  to  build  aware¬ 
ness  of  the  new  CSO  position,  as  well 
as  to  make  the  leaders  aware  of  security 
policies  and  of  C alero ’s  plan  to  handle 
physical  and  IT  security  together. 


32  www.csoonline.com  MARCH  2013 


“Putting  a  face  to  the  CSO  position 
and  sharing  the  vision  with  the  cabinet 
was  key,”  he  says. 

Sharing  a  vision  is  one  thing.  Mak¬ 
ing  it  reality  is  another.  As  the  program 
was  being  created,  the  city  was  facing 
a  budget  shortfall  of  $115  million,  and 
Ohio’s  two-year  $28.5  billion  discre¬ 
tionary  budget  was  projected  to  come 
up  more  than  $7.3  billion  short. 

“While  the  capital  project  was  already 
in  place,  budget  shortfalls  loomed. 
Everyone  knew  we  had  to  do  our  part 
to  reduce  security  costs.  We  focused 
on  what  we  could  consolidate  and  help 
others  consolidate  using  early  ESRM 
successes  as  reference,”  Calero  says. 

When  the  Economic  Advisory  Com¬ 
mittee,  which  was  commissioned  by 
the  mayor  to  review  the  city’s  financial 
health,  sought  cost  savings  proposals 
from  city  leadership,  Calero’s  included 
unifying  building-access-control  sys¬ 
tems  and  video  surveillance,  expand¬ 
ing  security  for  the  city’s  extensive  fiber 
optic  network,  maximizing  use  of  the 
centralized  security  command  center, 
and  consolidating  or  outsourcing  secu¬ 
rity  functions. 

Ultimately,  revenue  generation  sta¬ 
bilized  the  budget ,  but  the  opportunity 
to  promote  security  convergence  was 
not  lost. 

“Detailing  the  efficiencies  that  would 
be  gained  helped  grow  acceptance  of 
the  program,”  Calero  says. 

At  that  point,  the  CSO  had  the  fund¬ 
ing  for  the  project,  a  strategy  for  the 
program  and  a  vision  of  where  to  take  it . 
What  he  needed  now  was  buy-in  from 
stakeholders  across  the  city,  he  says. 

Rather  than  seeking  mandates, 
Calero  chose  to  create  an  atmosphere 
of  collaboration  through  “security 
cooperatives” — security  awareness 
training  in  partnership  with  facilities 
security — and  by  dedicating  an  analyst 
to  physical  security  alignment. 

“If  you  don’t  win  their  hearts  and 
minds,  you  are  not  going  to  get  any¬ 
where,”  he  says. 


Maintaining  separate  access-control 
systems  in  each  building,  including  the 
police  station,  was  expensive  and  made  it 
more  difficult  to  manage  access  properly. 
Calero  centralized  the  system,  resulting 
in  tighter  security  and  big  cost  savings. 

Once  that  was  done,  Calero  set  out  to 
learn  about  and  unite  key  teams,  man¬ 
agers,  vendors,  and  consultants. 

“Knowing  them,  of  their  construc¬ 
tion  projects,  hearing  about  planned 
facility  renovations  or  general  security 
needs  is  making  it  possible  for  me  to 
bring  them  together,  see  if  they  have 
common  security  needs,  share  secu¬ 
rity  assets,  or  just  make  them  aware 
of  existing  assets  they  did  not  know 
existed,”  he  says. 

Security  effectiveness  increased 
while  cost  and  management  burdens 


decreased.  On  the  IT  side,  coordinated 
actions  across  departments  readied 
city  assets  for  when  the  Multi-State 
Information  Sharing  and  Analysis 
Center  would  issue  early  warnings. 

The  centralized  security  command 
center  increased  building  security. 
The  $500,000  command  center,  fin¬ 
ished  in  2010,  is  staffed  by  up  to  20 
people.  Should  an  event  trigger  an 
alarm,  the  footage  from  an  appropri¬ 
ate  video  camera  will  be  displayed  on 
the  monitors. 

A  few  years  ago,  the  city’s  video  sur¬ 
veillance  system  had  a  couple  hundred 
video  cameras,  but  today  that  number 
is  600  and  growing. 

The  importance  of  unifying  the  city’s 
building- access-control  system  cannot 
be  overstated.  Over  the  years,  the  city 
had  adopted  a  hodgepodge  of  such  sys- 


March  2013  www.csoonline.com  33 


Cover  Story 


terns,  all  of  which  were  implemented 
at  different  times,  resulting  in  multiple 
variations  on  the  same  system  even 
where  a  standard  system  was  used. 

Maintaining  separate  building- 
access-control  systems  not  only  made 
it  much  more  difficult  to  manage  access 
properly,  but  it  was  also  expensive. 

According  to  Calero,  consolidating 

The  city’s  old  police  department  building 
is  undergoing  a  massive  renovation,  which 
incorporates  enhanced  physical-security  and 
access-control  features.  Work  is  scheduled 
to  be  completed  in  April.  Once  finished, 
the  building  will  house  the  City  Attorney’s 
Office,  the  Civil  Service  Commission,  the 
Department  of  Human  Resources,  the  Income 
Tax  Division,  the  Public  Safety  Director’s 
Office,  and  the  Purchasing  Office. 


the  purchase  of  equipment  related 
to  the  city’s  access-control  systems 
reaped  a  15  percent  one-time  savings, 
as  well  as  about  a  15  percent  average 
annual  savings  in  the  cost  of  recurring 
maintenance,  and  an  additional  3  per¬ 
cent  long-term  savings  from  increased 
efficiency. 

Building  Security  In 

While  many  organizations  strive  to 
incorporate  security  into  an  asset’s 
lifecycle,  Calero  has  succeeded  in 
bringing  it  to  buildings  and  facilities 
development. 

“Building  security  is  IT  security, 
too,”  says  Calero.  “Every  informa¬ 
tion  system  has  a  physical  security 
requirement.  The  building  itself,  the 
rooms,  the  network  itself— all  must  be 


reasonably  physically  secure,  and  that 
includes  integrating  secure  design  very 
early  in  the  phases  of  construction 
projects,”  he  says. 

This  includes  the  upgrade  of  the 
police  department  headquarters  that 
the  city  is  currently  undertaking.  To 
better  secure  the  tax  offices,  which  will 
be  housed  there,  Calero  began  working 
early  in  the  process  with  the  tax  agency, 
building  architect  and  oversight  con¬ 
tractor  to  establish  requirements  for 
physical  security,  including  surveil¬ 
lance-camera  placement  and  network 
closet  security. 

Other  agencies  are  now  coming 
to  Calero  and  his  team  to  ask  for  secu¬ 
rity  advice  when  they’re  planning 
projects  such  as  renovating  recreation 
centers  or  building  new  pool  houses. 


34  www.csoonline.com  March  2013 


“[The  CSO]  being  brought  to  the 
table  is  a  win  for  the  city.  Internal 
subject-matter  expertise  is  invalu¬ 
able  in  reducing  the  cost  of  security 
and  increasing  security  effectiveness,” 
Calero  says. 

“Vendors  will  come  in  and  install 
security  equipment  [without]  asking 
to  see  the  most  recent  risk  assess¬ 
ment.  If  they  review  it,  the  assessment 
will  not  tell  them  about  available  con¬ 
nectivity — 280  miles  of  fiber  owned 
by  the  city — or  the  strategy  to  unify 
security  systems  and  manage  them 
from  the  command  center.  They  may 
propose  physical  servers  be  purchased 
and  installed  on-site  with  a  battery 
for  backup  power,  while  the  city  has 
redundant  data  centers  full  of  virtual¬ 
ized  servers.” 


Another  strategy  helped  consoli¬ 
date  security  efforts  and  shift  costs 
so  it  was  easier  to  fund  convergence 
efforts,  Calero  says.  By  outsourcing 
operational  IT  security  functions  to  a 
services  provider,  annual  costs  were 
cut  from  $380,000  to  $95,000,  and 
the  relationship  established  the  foun¬ 
dation  for  adding  physical  security 
information  management  to  the  cur¬ 
rent  security  information  event  man¬ 
agement  capabilities. 

“Encompassing  both  IT  and  physi¬ 
cal  security  event  correlation  will  lead 
to  increased  situational  awareness,” 
Calero  says. 

While  the  city  has  come  a  long  way, 
Calero  says,  he  also  believes  there 
is  much  more  to  be  done,  including 
further  integrating  video  and  access 


The  Franklin  County  Government  Center  along 
South  High  Street  in  downtown  Columbus 
will  undergo  a  complete  renovation  that 
could  take  10  years  and  cost  $90  million. 

Like  other  recent  projects,  this  one  will 
include  significant  security  enhancements 
that  meld  physical-  and  IT-based  defenses. 

systems,  adding  more  facilities,  and 
exploring  industrial-control-systems 
monitoring  with  the  outsourced  secu¬ 
rity  service  provider. 

“We  are  not  finished  yet .  Not  by  a  long 
shot.  But  we  are  moving  forward  and 
leveraging  wins  both  big  and  small.” 


■  George  V.  Hulme  is  a  freelance  security 
and  technology  writer  based  in  Minnesota. 
You  can  also  find  him  tweeting  about  those 
topics  on  Twitter:  @georgevhulme. 

March  2013  www.csoonline.com  35 


aMsM 

%'T 


«$*»£? 


m 


a  >1'.' 


"^yfyS&y' 

V... 


SgttJ 


Th  °n 

The  Duffy/ca„  companies 

utting  Tomorrow  Behind  Us!" 

From  the  desk  of 
John  Johnson  II,  CEO 

The  Duffy/Carr  Companies 

To:  Pete  Peterson  DCr  ^  •. 

^-ee.aciony-52; 

m°nth’s  emPloyee  secu- 
strongty support  * “ attendee or "departments 

However  ZlT  ^  *  ‘°*  ^  ' 

«ked  me  to  bring  acoZfeZfThZT^  feedbaak  eards  and 
event  we  ever  do  this  again.  ®  y°Ur  atten«°n,  in  the 

cardsTcSf  JZZZeVnZZuU  *“!  to  ab°ut  a<*ess 

who  I  am  anyway.  and  everybody  knows 

■  In  the  comments  sertw. 

^o’s  doing  background “°K’  Wel1 

•  Whatever  this  “active  shoot  Pe°P‘e?  ” 

got  especially  low  ratings.  ^  SCenanos”  segment  was,  it 

— John 


tfBSRs 


•  :*:* 


ySSfi 


36  www.c8oonline.com  March  2013 


CSO  Staff 


CUST 


O  M  E  R ,  , 

vEWPCHR 


ADVERTORIAL 


Leslie  Lambert 

VICE  PRESIDENT  AND  CHIEF 
INFORMATION  SECURITY 
OFFICER,  JUNIPER  NETWORKS 


Saryu  Nayyar 

FOUNDER  AND  CHIEF 
EXECUTIVE  OFFICER,  GURUCUL 


FOR  MORE  INFORMATION: 

Please  download  the  free 
whitepaper,  “Identity-centric 
Behavioral  Risk  Intelligence"  at 

http://www.csoonline.com/ 

whitepapers/gurucul 


jumper 

NETWORKS 


V 


®  -  GURUCUL 


w  t 


Security  Risk  Intelligence 


CSO 

Custom  Solutions  Group 


Turn  Black  Swans  Gray 
with  Human  Behavioral 
Risk  Intelligence 


Today’s  organizations  are  exposed  to 
a  growing  array  of  risks  and  threats. 
Defense-in-depth  is  a  necessity,  but 
not  enough  to  safeguard  unwarranted 
activities  on  your  network.  Read  our 
conversation  on  protecting  intellectual 
property  and  regulated  data  proactively 
by  using  identity-centric  behavioral 
risk  intelligence  solutions,  gamering 
immediate  business  value. 

Traditionally  how  have  organizations 
managed  volumes  of  security  data 
generated  by  info  security  solutions? 

Lambert:  Organizations  have  typically 
deployed  teams  of  people  with  specialized 
skill  sets  to  solve  the  problem  of  analyzing 
massive  amounts  of  security  and  log  data. 

I  spent  an  entire  year  building  a  Security 
Operations  Center  to  monitor  alerts  with 
expert  analysts  to  run  the  tools.  With  more 
events  taking  place  on  our  networks,  there 
is  no  end  to  the  amount  of  data  being 
collected.  Organizations  need  to  graduate 
to  higher  levels  of  automation  and  leverage 
technology  to  make  sense  of  the  data. 

What  technologies  are  available  to 
automate  evaluation  of  this  data? 

Nayyar:  Intelligent  context  is  needed  to 
interpret  large  amounts  of  security  data. 

A  Security  Risk  Intelligence  (SRI)  solution 
like  GuruCul  Risk  Analytics'"  (GRA) 
collects,  correlates,  and  normalizes  data 
from  HR,  IAM,  STEM,  applications  (incl. 
cloud),  mobile  and  storage  devices,  DLP 
and  others  to  convert  petabytes  of  data 
into  intelligence.  GRA  takes  a  unique 
approach  by  adding  identity-centric, 
human  behavior  context  into  a  data  rich 
world;  it  learns  user  access  and  activity 
patterns  with  its  continuous  self-learning 
algorithms  to  provide  prioritized  actionable 
risk  intelligence— risky  users,  outlier  access 
and  anomalous  behaviors.  This  enables 
transition  from  a  manual,  reactive  approach 


to  an  automated,  proactive  one. 

How  does  a  SRI  solution  work  with  access 
control  to  combat  modem  day  threats? 

Lambert:  The  root  cause  of  most  modem 
attacks  is  identity  compromise  or  its  misuse. 
SRI  solutions  correlate  access  and  activity 
data  from  systems  and  connect  it  to  user 
identities.  These  solutions  create  user  access 
and  activity  baselines  and  automatically 
detect,  log,  alert  and  block  anomalous 
access  to  systems.  This  enhances  access 
controls  and  brings  actionable  intelligence 
to  combat  modem  day  threats. 

How  can  identity-centric  behavioral  risk 
analytics  help  protect  intellectual  property 
and  regulated  information? 

Lambert:  Being  a  key  producer  of  unique 
intellectual  property  in  the  networking 
and  security  product  space,  we  are  very 
concerned  with  protecting  our  IP.  We  use 
behavioral  analytics  to  model  people’s 
behavior  over  a  regular  day  with  their 
specific  role  on  our  network.  We  see 
patterns  of  what  they  access  and  choose 
to  look  at.  With  their  behavioral  profile 
baselined  we  can  detect  anomalous 
behavior  and  outlier  access. 

How  does  a  SRI  solution  empower  users 
to  help  mitigate  risk? 

Nayyar:  Advanced  SRI  solutions 
have  a  “Self-Audit”  capability  where 
actual  and/or  suspect  activity  is  sent 
to  end  users  periodically  for  their 
review.  Self-Audits  empower  users 
with  actionable  risk  information,  truly 
combining  technology  and  human 
intelligence  to  identify  anomalous  activities 
that  may  not  otherwise  be  identified.  Self- 
Audits  also  create  awareness  that  user 
activity  is  being  monitored.  Real-world 
implementations  of  this  technology  have 
uncovered  insider  threats,  and  espionage 
cases  and  have  seen  a  10%  rate  of  return.  ■ 


Cisco  Unified 

Computing 

System 


34% 


Industry- Leading 
Database  Performance 

34  %  Faster2 


ft 


ft 


Outperforms  RISC  by 


57% 

On  Java  Applications- 


Business 
Operations 
Per  Second: 
Unparalleled 
Cisco  Server 
Performance1. 


With 

Inter  Xeon9 
processors 


•  1 1 1  •  1 1 1  • 
CISCO. 


TOMORROW 
starts  here. 


For  more  performance  information,  visit  cisco.com/go/ucsbenchmarks. 

I.  Based  on  SPEC/bb2005  benchmark  on  Cisco  UCS  C220  M3  server  at  1,584,567  BOPS.  792.284  BOPS/JVM.  2.  Based  on  TPC  Benchmark  C  Results  on  2  Processor  Systems.  Cisco  UCS  C240  M3  High-Density  Rack  Server  with  Oracle  Database  ttg 
Release  2  Standard  Editton  One.  1.609,186.39  tpmC.  $0.47/tpmC.  available  9/27/12  compared  to  IBM  Power  780  Server  Model  9179-MHB  with  IBM  DB2  9.5.  1,200,01 1.00  tprnC.  $0.69/tpmC.  available  10/13/10.  3  Based  on  SPECjEnterphse2010 
benchmark  with  8  total  Java  EE  Server  processors  on  Cisco  UCS  B440  M2  servers  at  26.118.67  EjOPS  compared  to  RISC- based  IBM  Power  780  el  16.646.34  EjOPS.  SPEC*.  SPECjbb •,  and  SPEC/Enterprise*  are  registered  trademarks  of  Standard 
Performance  Evaluation  Corporation  TPC  Benchmark  C«  is  a  trademark  ol  the  Transaction  Performance  Processing  Council  (TPC).  The  performance  results  deschbed  here  are  denved  from  detailed  benchmark  results  available  at  http://www.apec.org 
and  http //WWW. tpc  org  as  of  1-15-2013.  ©20 1 3  Cisco  and/or  its  affiliates.  All  rights  reserved  All  third -party  products  belong  to  the  companies  that  own  them.  Cisco,  the  Cisco  logo,  and  Cisco  UCS  are  trademarks  or  registered  trademarks  of  Cisco. 
Intel,  the  Intel  logo,  Xeon  and  Xeon  Inside  are  trademarks  or  registered  trademarks  of  Intel  Corporation  in  the  U  S.  and/or  other  countries.  All  other  trademarks  are  the  property  of  their  respective  owners. 


